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1 1. Scope and Audience 

2 The TPCA main specification is an industry specification that enables trust in computing 

3 platforms in general. The main specification is broken into parts to make the role of each 

4 document clear. A version of the specification (like 1.2) requires all parts to be a complete 

5 specification. 

6 This is Part 3 the structures that the TPM will use. 

7 This document is an industry specification that enables trust in computing platforms in 

8 general. 
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9 1.1 Keywords 

10 The key words "MUST," "MUST NOT/' "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," 

11 "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in the chapters 2-10 

12 normative statements are to be interpreted as described in [RFC-21 19]. 
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13 1.2 



Statement Type 



14 Please note a very important distinction between different sections of text throughout this 

15 document. You will encounter two distinctive kinds of text: informative comment and 

16 normative statements. Because most of the text in this specification will be of the kind 

17 normative statements, the authors have informally defined it as the default and, as such, 

18 have specifically called out text of the kind informative comment. They have done this by 

19 flagging the beginning and end of each informative comment and highlighting its text in 

20 gray. This means that unless text is specifically marked as of the kind informative 

21 comment, you can consider it of the kind normative statements. 

22 For example: 



31 This is the first paragraph of one or more paragraphs (and/or sections) containing the text 

32 of the kind normative statements ... 

33 To understand the TPM specification the user MUST read the specification. (This use of 

34 MUST indicates a keyword usage and requires an action). 




28 To understand the TPM specification the user must read the specification. (This use of 

29 MUST does hot require any action). 

30 End of informatiyejcomm „ „ _ . Z „ 



Level 2 Revision 94 29 March 2006 Draft 



3 

TCG Published 



Copyright © TCG 



TPM Main Part 3 Commands 
Specification Version 1 .2 



35 2. Description and TODO 

36 This document is to show the changes necessary to create the 1.2 version of the TCG 

37 specification. Some of the sections are brand new text; some are rewritten sections of the 

38 1.1 version. Upon approval of the 1.2 changes, there will be a merging of the 1.1 and 1.2 

39 versions to create a single 1.2 document. 
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40 


O A rliY^i n 4* ^ ■ ■ _r> ____n_pl C2_ _h __i^____. 

o. Mumin oiarcup ana oiaie 




41 


FStart of informative comment: 




42 


|This section is the commands that start a TPM. 




43 


|End of informative comment. 


t 

. _ ' ' I 


44 


3.1 TPMJnit 





50 
51 

52 



Start of informative comment: 



TPMJnit is a physical method of initializing a TPM. There is no TPMJnit ordinal as this is a 
platform message sent on the platform internals to the TPM. On a PC this command arrives 
at the TPM via the LPC bus and informs the TPM that the platform is performing a boot 



process. 

TPMJnit puts the TPM into a state where it waits for the command TPM JStartup (which 
specifies the type of initialization that is required. 

End of informative comment. ; _ / " : ' " ' : ' " 



53 Definition 

54 TPM_Init () ; 
55 

56 Operation of the TPM. This is not a command that any software can execute. It is inherent 

57 in the design of the TPM and the platform that the TPM resides on. 



58 Parameters 

59 None 



60 Description 

61 1. The TPMJnit signal indicates to the TPM that platform initialization is taking place. The 

62 TPM SHALL set the TPM into a state such that the only legal command to receive after 

63 the TPMJnit is the TPM_Startup command. The TPMJStartup will further indicate to the 

64 TPM how to handle and initialize the TPM resources. 

65 2. The platform design MUST be that the TPM is not the only component undergoing 

66 initialization. If the TPMJnit signal forces the TPM to perform initialization then the 

67 platform MUST ensure that ALL components of the platform receive an initialization 

68 signal. This is to prevent an attacker from causing the TPM to initialize to a state where 

69 various masquerades are allowable. For instance, on a PC causing the TPM to initialize 

70 and expect measurements in PCRO but the remainder of the platform does not initialize. 

71 3. The design of the TPM MUST be such that the ONLY mechanism that signals TPMJnit 

72 also signals initialization to the other platform components. 

73 Actions 

74 1. The TPM sets TPMJ3TANY.FLAGS -> postlnitialise to TRUE. 
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3.2 TPM_Startup 



79 
80 
81 
82 
83 

84 

85 

86 
87 
88 

89 
90 
91 

92 
93 

94 
95 



Start of informative comment: 

TPM_Startup is always preceded by TPMJnit, which is the physical indication (a system- 
wide reset) that TPM initialization is necessary. 

There are many events on a platform that can cause a reset and the response to these | 
events can require different operations to occur on the TPM. The mere reset indication does j 
not contain sufficient information to inform the TPM as to what type of reset is occurring, j 
Additional information known by the platform initialization code needs transmitting to the j 
(TPM. The TPM_Startup command provides the mechanism to transmit the information. 

The TPM can startup in three different modes: 

A "clear" start where all variables go back to their default or non-volatile set state 




successful. • . 

A failing "save" start must shut down the TPM. The CRTM cannot leave the TPM in a state 
[where an untrusted upper software layer could issue a "clear" and then extend PCR's and 
; thus mimic the CRTM. 

A "deactivated" start where the TPM turns itself off and requires another TPMJnit before 
the TPM will execute in a fully operational state. i 



End of informative comment. 



Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal TPM_ORD_Startup 


4 


2 


?s 


2 


TPM_STARTUP_TYPE 


startupType 


Type of startup that is occurring 


Ou 


tgo 


ing I 


Pars 


imeters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 






1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPMjCOMMANDjCODE 


ordinal 


Command ordinal: TPM_ORD_Startup 



96 



97 
98 



Description 

TPM_Startup MUST be generated by a trusted entity (the RTM or the TPM, for example). 



Level 2 Revision 94 29 March 2006 Draft 



TCG Published 



TPM Main Part 3 Commands TCG © Copyright 

Specification Version 1 .2 



99 Actions 

100 1. If TPM_STANY__FLAGS -> postlnitialise is FALSE, 

101 a. Then the TPM MUST return TPMJNVALIDJPOSTINIT, and exit this capability 

102 2. If stType = TPM_ST_CLEAR 

103 a. Ensure that sessions associated with resources TPM„RT_CONTEXT, TPM_RT_AUTH 

104 and TPM_RT_TRANS are invalidated 

105 b. Reset TPM_STCLEAR_DATA -> PCR[] values to each correct default value 

106 i. pcrReset is FALSE, set to 0x00.. 00 

107 ii. pcrReset is TRUE, set to OxFR.FF 

108 c. Set the following TPM_STCLEAR_FLAGS to their default state 

109 i. PhysicalPresence 

110 ii. PhysicalPresenceLock 

111 iii. disableForceClear 

112 d. The TPM MAY initialize auditDigest to NULL 

113 i. If not initialized to NULL the TPM SHALL ensure that auditDigest contains a valid 

114 value 

115 ii. If initialization fails the TPM SHALL set auditDigest to NULL and SHALL set the 

116 internal TPM state so that the TPM returns TPM.FAILEDSELFTEST to all 

117 subsequent commands. 

118 e. The TPM SHALL set TPM_STCLEAR_FLAGS -> deactivated to the same state as 

1 19 TPM_PERMANENT_FLAGS -> deactivated 

120 f. The TPM MUST set the TPM_STANY_DATA fields to: 

121 i. TPM_STANY_D ATA- >contextNonceSession is set to NULLS 

122 ii. TPM_STANY_JD ATA- >contextCount is set to 0 

123 iii. TPM_STANY_DATA- >contextList is set to 0 

124 g. The TPM MUST set TPM_STCLEAR_DATA fields to: 

125 i. Invalidate contextNonceKey 

126 ii. countID to NULL 

127 iii. ownerReference to TPMJKH.OWNER 

128 h. The TPM MUST set the following TPM_STCLEAR_FLAGS to 

129 i . bGlobalLock to FALSE 

130 i. Determine which keys should remain in the TPM 

131 i. For each key that has a valid preserved value in the TPM 

132 (1) if parentPCRStatus is TRUE then call TPM_FlushSpecific(keyHandle) 

133 (2) if IsVolatile is TRUE then call TPM_FlushSpecific(keyHandle) 

134 ii. Keys under control of the OwnerEvict flag MUST stay resident in the TPM 
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135 3. If stType = TPM_ST_STATE 



136 a. If the TPM has no state to restore the TPM MUST set the internal state such that it 

137 returns TPM_FAILEDSELFTEST to all subsequent commands 

138 b. The TPM MAY determine for each session type (authorization, transport...) to release 

139 or maintain the session information. The TPM reports how it manages sessions in the 

140 TPM_GetCapability command. 

141 c. The TPM SHALL take all necessary actions to ensure that all PCRs contain valid 

142 preserved values. If the TPM is unable to successfully complete these actions, it SHALL 

143 enter the TPM failure mode. 

144 i. For resettable PCR the TPM MUST set the value of TPM_STCLEAR_DATA -> 

145 PCR[]to the resettable PCR default value. The TPM MUST NOT restore a resettable 

146 PCR to a preserved value 

147 d. The TPM MAY initialize auditDigest to NULL 

148 i. Otherwise, the TPM SHALL take all actions necessary to ensure that auditDigest 

149 contains a valid value. If the TPM is unable to successfully complete these 

150 actions, the TPM SHALL initialize auditDigest to NULL and SHALL set the internal 

151 set such tha t the TPM returns TPM.FAILEDSELFTEST to all subsequent 

152 commands. 

153 e. The TPM MUST restore the following flags to their preserved states: 

154 i. All values in TPM_STCLEAR_FLAGS 

155 ii. All values in TPM_STCLEAR_D ATA 

156 f. The TPM MUST restore all keys that have a valid preserved value 

157 g. The TPM resumes normal operation. If the TPM is unable to resume normal 

158 operation, it SHALL enter the TPM failure mode. 

159 4 . if stType = TPM_ST_DEACTIVATED 

160 a. Invalidate sessions 

161 i. Ensure that all resources associated with saved and active sessions are 

162 invalidated 

163 b. Set the TPM_STCLEAR_FLAGS to their default state. 

164 c. Set TPM_STCLEAR_FLAGS -> deactivated to TRUE 

165 5. The TPM MUST ensure that state associated with TPM_SaveState is invalidated 

166 6. The TPM MUST set TPM_STANY_FLAGS -> postlnitialise to FALSE 

167 a. postlnitialize is set to FALSE even if the TPM is in failure mode. 
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168 


3.3 TPM_SaveState 


169 


Start of informative comment: 


170 


This warns a TPM to save some state information. 


171 


It tne relevant snieiaed. storage is non- volatile , tnis command neea nave no eneci. 


172 
173 
174 


If the relevant shielded storage is volatile and the TPM alone is unable to detect the loss of 
external power in time to move data to nbn- volatile memory, this command should be 
presented before the TPM enters a low or no power state. 


175 


End of informative comment . 


176 


Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_SaveState. 


Ou 


tgo 


ing Parameters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND j 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_SaveState. 



178 


Description 


179 


l. 


Preserved values MUST be non-volatile. 


180 


2. 


If data is never stored in a volatile medium, that data MAY be used as preserved data. In 


181 




such cases, no explicit action may be required to preserve that data. 


182 


3. 


If an explicit action is required to preserve data, it MUST te possible for the TPM to 


183 




determine whether preserved data is valid. 


184 


4. 


If a parameter mirrored by any preserved value is altered, all preserved values MUST be 


185 




declared invalid. 


186 


5. 


The TPM MAY declare all preserved values invalid in response to any command other 


187 




than TPM_Init. 


188 


Actions 


189 


1. 


Store TPM_STCLEAR_DATA -> PCR contents except for 


190 




a. If the PCR attribute pcrReset is TRUE 


191 




b. Any platform identified debug PCR 
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192 2. The auditDigest MUST be handled according to the audit requirements as reported by 

193 TPM_GetCapability 

194 a. If the ordinalAuditStatus is TRUE for the TPM_SaveState ordinal and the auditDigest 

195 is being stored in the saved state, the saved auditDigest MUST include the 

196 TPM^SaveState input parameters and MUST NOT include the output parameters. 

197 3. All values in TPM_STCLEAR_DATA MUST be preserved 

198 4. All values in TPM_STCLEAR_FLAGS MUST be preserved 

199 5. The contents of any key that is currently loaded SHOULD be preserved if the key's 

200 parentPCRStatus indicator is FALSE and its IsVolatile indicator is FALSE. 

201 6. The contents of any key that has TPM_KEY„CONTROL_OWNER_EVICT set MUST be 

202 preserved 

203 7. The contents of any key that is currently loaded MAY be preserved as reported by 

204 TPM_GetCapability 

205 8. The contents of sessions (authorization, transport etc.) MAY be preserved as reported by 

206 TPM_GetCapability 
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4. Admin Testing 
4.1 TPM SelfTestFull 



Start of informative comment: 



TPM SelfTestFull tests all of the TPM capabilities. 

Unlike TPM ContinueSelfTest, which may optionally return ; immediately arid then perform 
the tests , TPM SelfTestFull always performs the tests and then returns success or faimre. 

'. ..' ' '■■ ' " '■■.■:*■*<■ ri--. - . ■ , -■..<:. ,' ,-v : * ■ „ : : 

End of informative comment. ^ 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


, # 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_SelfTestFull 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM J)RD_Se1fTestFull 



Actions 

1 . TPM^SelfTestFull SHALL cause a TPM to perform self- test of each TPM internal function. 

a. If the self-test succeeds, return TPMJ3UCCESS. 

b. If the self-test fails, return TPM_FAILEDSELFTEST. 

2. Failure of any test results in overall failure, and the TPM goes into failure mode. 

3. If the TPM has not executed the action of TPM_ContinueSelfTest, the TPM 

a. MAY perform the full self-test. 

b. MAY return TPM__NEEDS_SELFTEST. 
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4.2 TPM ContinueSelfTest 



Start of informative comment: 

TPM ContinueSelfTest informs the TPM that it should complete the self-test of all TPM 
functions. - -v---,^ v ,^---.-.- >,- : , . - : , T;> - - 

The TPM may return success immediately and then perform the self-test, or it may perform 
the self-test and then return success or failure. 

End of informative comment. ■ „ .. . . , _ 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


n 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_C0 M MAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ContinueSelfTest 


Ou 


tgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RS P_CO MMAN D 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_ContinueSelfTest ! 



239 

240 

241 
242 
243 

244 

245 
246 

247 



Description 

1. Prior to executing the actions of TPM_ContinueSelfTest, if the TPM receives a command 
CI that uses an untested TPM function, the TPM MUST take one of these actions: 

a. The TPM MAY return TPM_NEEDS_SELFTEST 

i. This indicates that the TPM has not tested the internal resources required to 
execute CI. 

ii. The TPM does not execute C 1 . 

iii. The caller MUST issue TPM_ContinueSelfTest before re -issuing the command CI. 

(1) If the TPM permits TPM_SelfTestFull prior to completing the actions of 
TPM_ContinueSelfTest, the caller MAY issue TPM_SelfTestFull rather than 
TPM_ContinueSelfTest. 

b. The TPM MAY return TPM_DOING_SELFTEST 

» 

i. This indicates that the TPM is doing the actions of TPM^ContinueSelfTest 
implicitly, as if the TPM_ContinueSelfTest command had been issued. 

ii. The TPM does not execute CI. 
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248 iii. The caller MUST wait for the actions of TPM_ContinueSelfTest to complete before 

249 reissuing the command CI. 

250 c. The TPM MAY return TPM_SUCCESS or an error code associated with CI. 

251 i. This indicates that the TPM has completed the actions of TPM_ContinueSelfTest 

252 and has completed the command CI. 

253 ii. The error code MAY be TPM_FAILEDSELFTEST. 

254 Actions 

255 1. If TPM_PERMANENT_FLAGS -> FIPS is TRUE or TPM_PERMANENT_FLAGS -> TPMpost 

256 is TRUE 

257 a. The TPM MUST run all self-tests 

258 2. Else 

259 a. The TPM MUST complete all self-tests that are outstanding 

260 i. Instead of completing all outstanding self-tests the TPM MAY run all self- tests 

261 3. The TPM either 

262 a. MAY immediately return TPM_SUCCESS 

263 i. When TPM_ContinueSelfTest finishes execution, it MUST NOT respond to the 

264 caller with a return code. 

265 b. MAY complete the self-test and then return TPM^SUCCESS or 

266 TPM_FAILEDSELFTEST. 
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267 4.3 TPM_GetTest Result 

268 *W$zr^^ lilEl 

269 TPM GetTestResult provides manufacturer specific information regarding the results of the I 

270 ^elf-test. This command will work when the TPM is in self-test failure mode. The reason for 

271 allowing "this command to operate in the failure mode is to allow TPM manufacturers to 

272 obtain diagnostic information. . 

273 

274 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_CCM M AN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_GetTestResult 


Ou 


tgoi 


ng < 


Dperands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


I 1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. ! 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_GetTestResult 


4 


4 


3S 


4 


UINT32 


outDataSize 


The size of the outData area 


5 


<> 


4S 


<> 


BYTEQ 


outData 


The outData this is manufacturer specific 



276 Description 

277 This command will work when the TPM is in self test failure mode. 

278 Actions 

279 1. The TPM SHALL respond to this command with a manufacturer specific block of 

280 information that describes the result of the latest self-test 

281 2. The information MUST NOT contain any data that uniquely identifies an individual TPM. 
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282 5. Admin Opt-in 

283 5.1 TPM SetOwnerlnstall 



/ ... . , ■ , ^ :;;J ; , ..... ... . , ^ „ . . . , v ; ^ 

When enabled but without an owner this command sets the PERMANENT flag that allows or 

disallows the ability to insert an owner. 

J 



End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag j 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SetOwnertnstall 


4 


1 


2S 


1 \ 


BOOL 


state 


State to which ownership flag is to be set. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SetOwnerlnstall 



Action 

1. If the TPM has a current owner, this command immediately returns with 
TPM_SUCCESS. 

2. The TPM validates the assertion of physical access. The TPM then sets the value of 
TPM_PERMANENT_FLAGS -> ownership to the value in state. 
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295 5.2 TPM OwnerSetDisable 




299 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1 _COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPMJDRDJDwnerSetDisable 


4 


1 


2S 


1 


BOOL 


disableState 


Value for disable state -enable if TRUE 


5 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication. 






2H1 


20 


TPMJMONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


8 


20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner authentication. 
HMAC key: ownerAuth. 


Outgo 


ing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH 1 _COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_OwnerSetDisable 


4 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


i 5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth. 



301 Action 

302 1. The TPM SHALL authenticate the command as coming from the TPM Owner. If 

303 unsuccessful, the TPM SHALL return TPM_AUTHFAIL. 

304 2. The TPM SHALL set the TPM_PERMANENT_FLAGS -> disable flag to the value in the 

305 disableState parameter. 
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306 5.3 TPM_PhysicalEnable 




310 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_PhysicalEnab!e 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_Physica!Enable 



312 Action 

313 1 . Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE 

314 2. The TPM SHALL set the TPM_PERMANENT_FLAGS. disable value to FALSE. 
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315 5.4 TPM_PhysicalDisable 




319 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_PhysicalDisable 


Ou 


tgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_OR D_PhysicalDisable 



321 Action 

322 1. Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE 

323 2. The TPM SHALL set the TPM_PERMANENT_FLAGS. disable value to TRUE. 
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324 5-5 TPM_PhysicalSetDeactivated 




329 Incoming Operands and Sizes 



PARAM 


HMAC ] 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_PhysicalSetDeactivated 


4 


1 


2S 


1 


BOOL 


state 


State to which deactivated flag is to be set. 


Ou 


tgo 


ng < 


Dpe 


rands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPMJRESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_PhysicalSetDeactivated 



331 Action 

332 1. Validate that physical presence is being asserted, if not return TPM_BAD_PRESENCE 

333 2. The TPM SHALL set the TPM_PERMANENT_FLAGS. deactivated flag to the value in the 

334 state parameter. 
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335 5.6 TPM_SetTempDeactivated 

336 jStartrf 

337 This command allows the operator of the platform to deactivate the TPM until the next boot 

338 of the platform. . 

339 This command requires operator authentication. The operator can provide the 

340 [authentication by either the assertion of physical presence or presenting the operator 

341 [AuthDaita value. ^ 

3 42 jEnd of informative comment; _____ ; . 

343 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_AUTH 1 ^COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE j 


ordinal 


Command ordinal: TPM_ORD_SetTempDeactivated 


4 


4 




4 ■» 


TPM_AUTH HANDLE 


authHandle 


Auth handle for operation validation. Session type MUST be OIAP 






2H1 


20 


TPM_NONCE ' 


authLastNonceEven 


Even nonce prev iously generated by TPM to cover inputs 


5 


20 


3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


7 


20 






TPM_AUTHDATA 


operatorAuth 


HMAC key: operatorAuth 


Ou 


tgo 


ing C 


)pers 


mds and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH 1 _C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPMJDRD_SetTempDeactivated 


! 4 


20 


2H1 


20 


TPMJMONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
operatorAuth. 



345 Action 

346 1 . If tag = TPM_TAG_REQ_AUTH LCOMMAND 

347 a. If TPM_PERMANENT_FLAGS -> operator is FALSE return TPM_NOOPERATOR 

348 b. Validate command and parameters using operatorAuth, on error return 

349 TPM_AUTHFAIL 

350 2. Else 
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351 a. If physical presence is not asserted the TPM MUST return TPM_BAD_PRESENCE 

352 3. The TPM SHALL set the TPM_STCLEAR_FLAGS. deactivated flag to the value TRUE. 
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5.7 TPM_SetOperatorAuth 



Start of informative comment: 

This 



Phis command allows the setting of the operator AuthData value. • . . 

There is ; no ^confidentiality applied to the operator authentication as the value is sent under 
the | assumption of being locial to vtJhe platform. If there is a concern regarding the path 
between the! TPM and the keyboard then unless the keyboard is using encryption arid a 
secure channel an attacker can read the values. 



End of informative com ment. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG„RQU_COM MAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_0RD_SetOperatorAuth 


4 


20 


2S 


20 


TPM_SECRET 


operatorAuth 


The operator AuthData 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SetOperatorAuth 



Action 

1 . If physical presence is not asserted the TPM MUST return TPM_BAD_PRESENCE 

2. The TPM SHALL set the TPM_PERMANENT_DATA -> operatorAuth 

3. The TPM SHALL set TPM_PERMANENT_FLAGS -> operator to TRUE 
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367 6. Admin Ownership 

368 6.1 TPMJTakeOwnership 

369 SftartTof InfotmaBro ~~~ 

370 This command inserts the TPM Ownership value into the TPM. 

37 1 End of informative comment. 

372 Incoming Operands and Sizes 



PARAM I 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 !l 






TPMJTAG 


tag ! 


TPM_TAG_RQU_AUTH 1_C0MMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_TakeOwnership 


4 


2 


2S 


2 


TPM.PROTOCOLJD 


protocoIlD 


The ownership protocol in use. 


5 


4 


3S 


4 


UINT32 


encOwnerAuthSize 


The size of the encOwnerAuth field 


6 


<> 


4S 


o 


BYTE[] 


encOwnerAuth 


The owner AuthData encrypted with PUBEK 


7 


4 


5S 


4 


UINT32 


encSrkAuthSize 


The size of the encSrkAuth field 


8 


o 


6S 


o 


BYTE[] 


encSrkAuth 


The SRK AuthData encrypted with PUBEK 


9 


o 


7S 


o 


TPM_KEY 


srkParams 


Structure containing all parameters of new SRK. pubKey.keyLength & 
encSize are both 0. This structure MAY be TPM.KEY12. 


10 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for this command 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 1 


11 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


12 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


13 


20 






TPM_AUTHDATA 


ownerAuth 


Authorization session digest for input params. HMAC key: the new 
ownerAuth value. See actions for validation operations 



373 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH 1 _C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPMJDRD JakeOwnership 


4 


<> 


3S 


o 


TPM.KEY 


srkPub 


Structure containing all parameters of new SRK. srkPub.encOata is set to 
0. This structure MAY be TPM_KEY12. 


5 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key. 
the new ownerAuth value 



375 Description 

376 The type of the output srkPub MUST be the same as the type of the input srkParams, either 

377 both TPM_KEY or both TPM_KEY12. 

378 Actions 

379 1 . If TPM_PERMANENT_DATA -> ownerAuth is valid return TPM_OWNER_SET 

380 2. If TPM_PERMANENT_FLAGS -> ownership is FALSE return TPM_INSTALL_DISABLED 

381 3. If TPMJPERMANENTJDATA -> endorsementKey is invalid return 

382 TPM_NO_ENDORSEMENT 

383 4. Verify that authHandle is of type OIAP on error return TPM_AUTHFAIL 

384 5. Create Al a TPM_SECRET by decrypting encOwnerAuth using PRIVEK as the key 

385 a. This requires that Al was encrypted using the PUBEK 

386 b. Validate that Al is a length of 20 bytes, on error return TPM_BAD_KEY_PROPERTY 

387 6. Validate the command and parameters using Al and ownerAuth, on error return 

388 TPM_AUTHFAIL 

389 7. Validate srkParams 

390 a. If srkParams -> 

391 TPM_INVALID_KEYUSAGE 

392 b. If srkParams -> migratable is TRUE return TPM_INVALID_KEYUSAGE 

393 c. If srkParams -> algorithmParms -> algorithm© is NOT TPM_ALG_RSA return 

394 TPM_BAD_KEY_PROPERTY 

395 d If srkParams -> algorithmParms -> encScheme is NOT 

396 TPM_ES_RSAESOAEP_SHAl_MGFl return TPM_BAD_KEY_PROPERTY 

397 e. If srkParams -> algorithmParms -> sigScheme is NOT TPM_SS_NONE return 

398 TPM_BAD_KEY_PROPERTY 
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f. If srkParams -> algorithmParms -> parms -> keyLength MUST be greater than or 
equal to 2048, on error return TPMJBADJCEY_PROPERTY 

g. If TPM_PERMANENT_FLAGS -> FIPS is TRUE 

i. If srkParams -> authDataUsage specifies TPM_AUTH_NEVER return 
TPM_NOTFIPS 

8. Generate Kl according to the srkParams on error return TPM_BAD_KEY_PROPERTY 

9. Create A2 a TPM_SECRET by decrypting encSrkAuth using the PRIVEK 

a. This requires A2 to be encrypted using the PUBEK 

b. Validate that A2 is a length of 20 bytes, on error return TPM_BAD_KEY__PROPERTY 

c. Store A2 in Kl -> usageAuth 

10. Store Kl in TPM_PERMANENT_DATA -> srk 

1 1. Store Al in TPM_PERMANENT_DATA -> owner Auth 

12. Create TPM_PERMANENT_DATA -> contextKey according to the rules for the algorithm 
in use by the TPM to save context blobs 

13. Create TPM_PERMANENT_DATA -> delegateKey according to the rules for the algorithm 
in use by the TPM to save delegate blobs 

14. Create TPM_PERMANENT_DATA -> tpmProof by using the TPM RNG 

15. Export TPM_PERMANENT_DATA -> srk as srkPub 

16. Set TPM_PERMANENT_FLAGS -> readPubek to FALSE 

17. Calculate resAuth using the newly established TPM_PERMANENT_DATA -> ownerAuth 



Level 2 Revision 94 29 March 2006 Draft 



25 

TCG Published 



Copyright © TCG 



TPM Main Part 3 Commands 
Specification Version 1 .2 



6-2 TPM OwnerClear 



The TPM_OwnerClear command performs the clear operation under Owner authentication. 
This command is available until the Owner executes the TPM.DisableOwnerClear, at which 
time any farther invocation of this command returns TPM_GLEAR_DISABLED. 

All state in the TPM should be cleared when the command TPM OwnerOlear is invoked. 

jEnd of ^ , ; : .- ... : ;: . ■ -. .V ■ ■ ■ ' ■ y-' u - V 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_AUTH 1 _COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMANDCODE 


ordinal 


Command ordinal: TPM_ORD_OwnerClear 


4 


4 






TPM_AUTH HANDLE 


authHandle 


The authorization session handle used for owner authentication. 






2H1 


20 


TPM_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


5 


20 


3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Ignored 


7 


20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner authentication. 
HMAC key: ownerAuth. 


Ou 


tgo 


ing C 


>perands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH 1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM.ORDJDwnerClear 


4 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Fixed value FALSE 


6 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
old ownerAuth. 



429 
430 

431 
432 

433 



428 Actions 



1 . Verify that the TPM Owner authorizes the command and all of the input, on error return 
TPM_AUTHFAIL. 

2. If TPM_PERMANENT_FLAGS -> disableOwnerClear is TRUE then return 
TPM_CLEAR_DISABLED. 

3. Unload all loaded keys. 
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434 4. The TPM MUST NOT modify the following TPMJPERMANENT_DATA items 

435 a. endorsementKey 

436 b. revMajor 

437 c. revMinor 

438 d. manuMaintPub 

439 e . auditMonotonicCounter 

440 f. monotonicCounter 

441 g. pcrAttrib 

442 h. rngState 

443 i. EKReset 

444 j . maxNVBufSize 

445 k. lastFamilylD 

446 1. tpmDAASeed 

447 m. authDIR[0] 

448 5. The TPM MUST invalidate the following TPM_PERMANENTJDATA items and any internal 

449 resources associated with these items 

450 a. ownerAuth 

451 b. srk 

452 c. delegateKey 

453 d. delegateTable 

454 e. contextKey 

455 f. tpmProof 

456 g. operatorAuth 

457 6. The TPM MUST reset to manufacturing defaults the following TPMJPERMANENT_DATA 

458 items 

459 a. noOwnerNVWrite MUST be set to 0 

460 b. ordinalAuditStatus 

461 c. restrictDelegate 

462 7. The TPM MUST invalidate or reset all fields of TPM_STANY_DATA 

463 a. Nonces SHALL be reset 

464 b. Lists (e.g. contextList) SHALL be invalidated 

465 8. The TPM MUST invalidate or reset all fields of TPM_STCLEAR_DATA 

466 a. Nonces SHALL be reset 

467 b. Lists (e.g. contextList) SHALL be invalidated 

468 9. The TPM MUST set the following TPM_PERMANENT_FLAGS to their default values 
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469 a. disable 

470 b. deactivated 

471 c. readPubek 

472 d. disableOwnerClear 

473 lO.The TPM MUST set the following TPM_PERMANENT_FLAGS 

474 a. ownership to TRUE 

475 b. operator to FALSE 

476 c. maintenanceDone to FALSE 

477 d. allowMaintenance to TRUE 

478 1 l.The TPM releases all TPM_PERMANENT_DATA -> monotonicCounter settings 

479 a. This includes invalidating all currently allocated counters. The result will be no 

480 currently allocated counters and the new owner will need to allocate counters. The 

481 actual count value will continue to increase. 

482 12. The TPM MUST deallocate all defined NV storage areas where 

483 TPMJW_PER_OWNERWRITE is TRUE and nvlndex does not have the "D" bit set and 

484 MUST NOT deallocate any other currently defined NV storage areas. 

485 13. The TPM MUST invalidate all familyTable entries 

486 14. The TPM MUST terminate all OSAP, DSAP, and transport sessions. 

487 I 15. The TPM MUST terminate all sessions, active or saved 
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488 6.3 TPM ForceClear 




494 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ForceClear 


Ou 


tgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPIVLORD^ForceClear 



496 Actions 

497 1. The TPM SHALL check for the assertion of physical presence, if not present return 

498 TPM_BAD_PRESENCE 

499 2. If TPM_STCLEAR_FLAGS -> disableForceClear is TRUE return TPM_CLEARJDISABLED 

500 3. The TPM SHALL execute the actions of TPM_OwnerClear (except for the TPM Owner 

50 1 authentication check) 



Level 2 Revision 94 29 March 2006 Draft 



29 

TCG Published 



Copyright © TCG 



TPM Main Part 3 Commands 
Specification Version 1 .2 



502 6.4 TPM_DisableOwnerClear 

503 jSfaxt^^ comment: | 

504 ;The TPM_DisableOwnerGlear command disables the ability to execute the TPM^OwherClear 

505 jcommand permanently. Once invoked the only method of clearing the TPM will require 

506 [physical access to the TPM. 

507 I After the execution of TPM ForceClear, ownerClear is re -enabled and must be explicitly 

508 disabled again by the new TPM Owner. . 

509 |End of informative comment, • - ■ " - " ^ ' .. _ 1_— , i_ 

510 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_DisableOwnerClear 


4 


4 






TPM_AUTH HANDLE 


authHandle 


The authorization session handle used for owner authentication. 






2H1 


20 ; 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


5 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


7 


20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner authentication. 
HMAC key: ownerAuth. 


Ou 


tgo 


ing C 


)per 


ands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH 1 _COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND__C0DE 


ordinal 


Command ordinal: TPM_ORD_DisableOwnerClear 


4 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newty generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth. 



512 Actions 

513 1. The TPM verifies that the authHandle properly authorizes the owner. 

514 2. The TPM sets the TPM_PERMANENT_FLAGS -> disableOwnerClear flag to TRUE. 
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515 3. When this flag is TRUE the only mechanism that can clear the TPM is the 

516 TPM_ForceClear command. The TPM_ForceClear command requires physical access to 

517 the TPM to execute. 
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6.5 TPM DisableForceClear 



Start of informative comment: 



The TPMJDisableForceClear command disables the execution of the TPM_ForceClear 
command until t^e next startup cycle. Once this command is executed, the TPM_ForceClear 
is disabled until another startup cycle is run. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM I 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


pa ram Size 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_DisableForceClear 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_DisableForceClear 



526 

527 
528 



Actions 

1. The TPM sets the TPM_STCLEAR_FLAGS . disableForceClear flag in the TPM that disables 
the execution of the TPM_ForceClear command. 
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6.6 TSC_PhysicalPresence 



545 
546 



Start of informative comment: 

! if : \ ■■■.■■ ; v;V::)\. ' ' , - / : , ;yc,, - - - ; , ■. 

Some TPM operations require the indication of a human's physical presence at the platform. 
The presence of the human either provides another indication of platform ownership or a 
mechanism to ensure that the execution of the command is not the result of a remote 
| software process. 

This command allows a process on the platform to indicate the assertion of physical 
presence. As this command is executable by software there must be protections against the 
improper invocation of this command. 

The physicalPresenceHWEnable and physicalPresenceCMDEnable indicate the ability for 
either SW or HW to indicate physical presence. These flags can be reset until the 
physicalPresenceLifetimeLock is set. The platform manufacturer should set these flags to| 
indicate the capabilities of the platform the TPM is bound to. 

The command provides two sets of functionality. The first is to enable, permanently, either 
the HW or the SW ability to assert physical presence. The second is to allow SW, if enabled, 
to assert physical presence. 

End of informative comment. . •: . . , , '^2L^— 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


pa ram Size 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TSC_ORD_PhysicalPresence. 


4 


2 


2S 


2 


TPM_PHYSICAL_PRESENCE 


physicalPresence 


The state to set the TPM's Physical Presence flags. 


Ou 


tgoi 


ng < 


Dpe 


rands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


sz 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COM MAN D 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TSC_ORD_PhysicalPresence. 



547 



548 

549 
550 

551 
552 
553 
554 



Actions 

1. 



The first is the lifetime 



For documentation ease, the bits break into two categories, 
settings and the second is the assertion settings, 
a Define Al to be the lifetime settings: TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK, 
TPM_PHYSICAL_PRESENCE_HW_ENABLE, TPM_PHYSICAL_PRESENCE_CMD_ENABLE, 
TPM_PHYSICAL_PRESENCE_HW_DISABLE, and 
TPM_PHYSICAL_PRESENCE_CMD_DISABLE 
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555 b. Define A2 to be the assertion settings: TPM_PHYSICAL_PRESENCE_LOCK, 

556 TPM_PHYSICAL_PRESENCE_PRESENT, and TPM_PHYSICAL_PRESENCE_NOTPRESENT 

557 Lifetime lock settings 

558 2. If any A 1 setting is present 

559 a. If TPM_PERMANENT_FLAGS -> physicalPresenceLifetimeLock is TRUE, return 

560 TPM_BAD_PARAMETER 

561 b. If any A2 setting is present return TPM_BAD_PARAMETER 

562 c If both physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_ENABLE and 

563 physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_DISABLE are TRUE, return 

564 TPM_BAD_PARAMETER. 

565 d If both physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_ENABLE and 

566 physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_DISABLE are TRUE, return 

567 TPM_BAD_PARAMETER. 

568 e. If physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_ENABLE is TRUE Set 

569 TPM_PERMANENT_FLAGS -> physicalPresenceHWEnable to TRUE 

570 f. If physicalPresence -> TPM_PHYSICAL_PRESENCE_HW_DISABLE is TRUE Set 

571 TPM_PERMANENT_FLAGS -> physicalPresenceHWEnable to FALSE 

572 g. If physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_ENABLE is TRUE, Set 

573 TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable to TRUE. 

574 h. If physicalPresence -> TPM_PHYSICAL_PRESENCE_CMD_DISABLE is TRUE, Set 

575 TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable to FALSE. 

576 i. If physicalPresence -> TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK is TRUE 

577 i. set TPM_PERMANENT_FLAGS -> physicalPresenceLifetimeLock to TRUE 

578 j. Return TPM_SUCCESS 

579 SW physical presence assertion 

580 3. If any A2 setting is present 

58 1 a. If any A 1 setting is present return TPM_BAD_PARAMETER 

582 i. This check here just for consistency, the prior checks would have already ensured 

583 that this was ok 

584 b. If TPM_PERMANENT_FLAGS -> physicalPresenceCMDEnable is FALSE, return 

585 TPM_B AD_PARAM ETER 

586 c If both physicalPresence -> TPM_PHYSICAL_PRESENCE_LOCK and physicalPresence 

587 -> TPMplrYSrcAL_PRESENCE_PRESENT are TRUE, return TPM_BAD_PARAMETER 

588 d. If both physicalPresence -> TPM_PHYSICAL_PRESENCE_PRESENT and 

589 physicalPresence -> TPM_PHYSICAL_PRESENCE_NOTPRESENT are TRUE, return 

590 TPM_BAD_PARAMETER 

591 e . If TPM_STCLEAR_FLAGS -> physicalPresenceLock is TRUE, return 

592 TPM_BAD_PARAM ETER 
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593 f. If physicalPresence -> TPM_PHYSICAL_PRESENCE_LOCK is TRUE 

594 i. Set TPM_STCLEAR_FLAGS -> physicalPresence to FALSE 

595 ii. Set TPM_STCLEAR_FLAGS -> physicalPresenceLock to TRUE 

596 iii. Return TPM_SUCCESS 

597 g. If physicalPresence -> TPM_PHYSICAL_PRESENCE_PRESENT is TRUE 

598 i. Set TPM_STCLEAR_FLAGS -> physicalPresence to TRUE 

599 h. If physicalPresence -> TPM_PHYSICAL_PRESENCE_NOTPRESENT is TRUE 

600 i. Set TPM_STCLEAR_FLAGS -> physicalPresence to FALSE 

601 i. Return TPM_SUCCESS 

602 4. Else / / There were no Al or A2 parameters set 

603 a. Return TPM_BAD_PARAMETER 
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6.7 TSC ResetEstablishmentBit 



Start of informative comment: 

The PC TPM Interface Specification (TIS) specifies setting tpmEstablished to TRUE upon 
execution of the HASH_START sequence. The setting implies the creation of a Trusted 
Operating System on the platform. Platforms will use the value of tpmEstablished to 
determine if operations necessary, to maintain the security perimeter are necessary. 

The tpmEstablished bit provides a non-volatile, secure reporting that a HASH_START was 
previously run on the platform. When a platform makes use of the tpmEstablished bit, the 
platform can reset tpmEstablished as the operation is no longer necessary. 

[For example, a platform could use tpmEstablished to ensure that, if HASH_START had ever 
Ibeen, executed the platform could use the value to invoke special processing. Once the 
(processing is complete the platform will wish to reset tpmEstablished to avoid invoking the 
; special process again. 

The TPM_PERMANENT_FLAGS -> tpmEstablished bit described in the TPM specifications j 
uses positive logic. The TPM_ACCESS register uses negative logic, so that TRUE is reflected 
as a 0. 

End of informative comment. , .. _ _ 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TSC_ORD„ResetEstablishmentBit 


Ou 


tgo 


ing 1 


Dpe 


rands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM_C0M M AN D_C0D E 


ordinal 


Command ordinal: TSC_0RD_ResetEstab1ishmentBit 



622 



623 Actions 

624 1 . Validate the assertion of locality 3 or locality 4 

625 2. Set TPM_PERMANENT_FLAGS -> tpmEstablished to FALSE 

626 3. Return TPM_SUCCESS 
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7. The Capability Commands 



638 
639 
640 
641 

642 

643 
644 

645 
646 
647 



Start of informative comment: 



The TPM has numerous capabilities that a remote entity may wish to know about. These j 
items include support of algorithms, key sizes, protocols and vendor -specific additions. The j 
TPM GetCapabilitv command allows the TPM to report back to the requestor what type of 

TPM _ it iS r\Z.K„o Ltu 



with. 



The request for information requires the requestor to specify which piece of information that 
is required. The request does not allow the "merging" of multiple requests and returns only 
a single piece of information. 

In failure mode, the TPM returns a limited set of information that includes the TPM 
manufacturer and version. 

In version 1.2 with the deletion of TPM_GetCapabilitySigned the way to obtain a signed 
listing of the capabilities is to create a transport session, perform TPM_GetCapability 
commands to list the information and then close the transport session using 
TPM_ReleaseTransportSigned. 

|End of infor mative , comment, , „ ^„,,,.^ ^ -* 

1. The standard information provided in TPM_GetCapabili1y MUST NOT provide unique 
information 

a. The TPM has no control of information placed into areas on the TPM like the NV store 
that is reported by the TPM. Configuration information for these areas could conceivably 
be unique 
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648 7.1 TPM_GetCapability 




654 Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG ! 


tag 


TPM_TAG_RQU_COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetCapability 


4 


4 


2S 


4 


TPM_CAPABILITY_AREA 


capArea 


Partition of capabilities to be interrogated 


5 


4 


3S 


4 


UINT32 


subCapSize 


Size of subCap parameter 


6 


<> 


4S 


<> 


BYTEQ 


subCap 


Further definition of information 


Ou 


tgoing I 


Pars 


imeters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


S7 


# 


SZ 


| 1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM.COMMANDCODE 


ordinal 


Command ordinal: TPM_ORD_GetCapability 


4 


4 


3S 


4 


UINT32 


respSize 


The length of the returned capability response 


5 


o 


4S 


o 


BYTE[] 


resp 


The capability response 



656 Actions 

657 1. The TPM validates the capArea and subCap indicators. If the information is available, 

658 the TPM creates the response field and fills in the actual information. 

659 2. The structure document contains the list of caparea and subCap values 

660 3. If the TPM is in failure mode 

661 a. The TPM MUST only' return TPM manufacturer and TPM version. 

662 4. If the TPM is in limited operation mode 

663 a. The TPM MUST only return TPM_CAP_PROPERTY -> TPM_CAP_PROP_DU RATION. 
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664 7.2 TPIVLSetCapability 

665 

666 This command sets values in the TPM. 

667 A setValue that is inconsistent with the capArea arid subCap is considered a bad 

668 Ipararneter. ' " -;h-' v -', 

669 [Endl of informative comment. _„_J „_ " 

670 Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1 ..COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 | 


TPM_COMMAND_CODE 


ordinal 


ordinal:TPM_ORD_SetCapability 


4 


4 


2S 


4 


TPM_CAPABILITY_AREA 


capArea ! 


Partition of capabilities to be set 


5 


4 


3S 


4 


UINT32 


subCapSize 


Size of subCap parameter 


6 


<> 


4S 


o 


BYTEQ 


subCap 


Further definition of information 


7 


4 


5S 


4 


UINT32 ~^ 


setValueSize 


The size of the value to set 


8 


o 


6S 


<> 


BYTEQ 


setValue 


The value to set 


9 


4 






TPM_AUTH HANDLE 


authHandle 


The authorization session handle used for owner authentication. 






2H1 


20 


TPM.N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


10 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


11 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


12 


20 






TPM.AUTHDATA 


ownerAuth 


Authorization. HMAC key: owner .usageAuth. 
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671 Outgoing Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM TUCX 
I r IVI_ 1 r\\y 


tag 


TPM TAG RSP AUTH1 COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


ordinal:TPM_ORD_SetCapability 


I 4 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM_AUTHDATA 


resAuth 


Authorization HMAC key.owner.usageAuth. 



672 Actions 

673 1. If tag = TPM_TAG_RQU__AUTH l_COMMAND , validate the command and parameters 

674 using ownerAuth, return TPM_AUTHFAIL on error 

675 2. The TPM validates the capArea and subCap indicators, including the ability to set value 

676 based on any set restrictions 

677 3. If the capArea and subCap indicators conform with one of the entries in the structure 

678 TPM_CAPABILITY_AREA (Values for TPM_SetCapability) 

679 a. The TPM sets the relevant flag/ data to the value of setValue parameter. 

680 4. Else 

68 1 a. Return the error code TPM_BAD_PARAMETER. 
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7.3 TPM_GetCapabilityOwner 



Start of informative comment: 

It can provide information to TPM_GetCapabilitySigned which may result in an invalid 



TPM_GetCapabnity Owner enabl es the TPM r Owner ; to retrieve all the noh- volatile flags and 
the volatile fla^gs in a single operation. This command is deprecated, mandatory. 

The flags summarize many operational aspects of the TPM . The information represented by 
some flags is private to toe TPM Owner. So, for simplicity, proof of ownership of the TPM 
| must be presented to retrieve the set of flags. When necessary, the flags that are not private 
to the Owner can be deduced by Users via other (more specific) means. 

The normal TPM authentication mechanisms are sufficient to prove the integrity of the 
jresponse. No a.dditional integrity check is required. 

j End of informative comment, ' :< '\ . - - 4 ^ :t -^-- ^ 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1_COM MAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetCapbilrtyOwner 


4 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization handle used for Owner authorization. 






2H1 


20 


TPM_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


5 


20 


3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


7 


20 






TPM.AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner authorization. HMAC key: 
OwnerAuth. 


Ou 


tgo 


ingC 


>perands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag \ 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Ordinal: TPM_ORD_GetCapabilityOwner 


4 


4 


3S 


4 


TPM.VERSION 


version 


A properly filled out version structure. 


5 


4 


4S 


4 


UINT32 


non_volatile_flags 


The current state of the nonvolatile flags. 


6 


4 


5S 


4 


UINT32 


volatile_flags 


The current state of the volatile flags. 


7 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


: 8 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 



696 
697 
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20 



TPM.AUTHDATA 



resAuth 



The authorization digest for the returned parameters. HMAC key. OwnerAuth. 



699 Description 

700 For 31>=N>=0 

1. Bit-N of the TPM_PERMANENT_FLAGS structure is the Nth bit after the opening bracket 
in the definition of TPMJPERMANENT_FLAGS in the version of the specification 
indicated by the parameter "ve rsion". The bit immediately after the opening bracket is 
the 0* bit. 

2. Bit-N of the TPMJ3TCLEAR_FLAGS structure is the Nth bit after the opening bracket in 
the definition of TPM_STCLEAR_FLAGS in the version of the specification indicated by 
the parameter "version". The bit immediately after the opening bracket is the 0^ bit. 

3. Bit-N of non_volatile_flags corresponds to the Nth bit in TPM_PERMANENT_FLAGS, and 
the lsb of non_volatile_flags corresponds to bitO of TPM_PERMANENT_FLAGS 

4. Bit-N of volatile_flags corresponds to the Nth bit in TPM_STCLEAR_FLAGS , and the lsb 
of volatile_ftags corresponds to bitO of TPM_STCLEAR_FLAGS 

Actions 

1. The TPM validates that the TPM Owner authorizes the command. 

2. The TPM creates the parameter non_volatile_flags by setting each bit to the same state 
as the corresponding bit in TPM_PERMANENT_FLAGS. Bits in non_volatile_flags for 
which there is no corresponding bit in TPM_PERMANENT_FLAGS are set to zero. 

3. The TPM creates the parameter volatile_flags by setting each bit to the same state as the 
corresponding bit in TPM_STCLEAR_FLAGS. Bits in volatilejlags for which there is no 
corresponding bit in TPM_STCLEAR_FLAGS are set to zero. 

720 4. The TPM generates the parameter "version". 

721 5. The TPM returns nonvolatile Jlags, volatile_flags and version to the caller. 
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727 

728 
729 

730 



8. Auditing 

8.1 Audit Generation 



Start of informative comment: 

The TPM generates an audit event in response to the TPM executing a function that has the 
audit flag set to TRUE for that function. 

The TPM . maintains an extended value for all audited ope rations . 

Input audit generation occurs before the listed actions and output audit generation occurs 
after the listed actions. 

End of informative comment. ^o.-^; ■ ■■■ ■ ' : 



731 Description 

732 1. The TPM extends the audit digest whenever the ordinalAuditStatus is TRUE for the 

733 ordinal about to be executed. The only exception is if the ordinal about to be executed is 

734 TPM^SetOrdinalAuditStatus. In that case, output parameter auditing is performed if the 

735 ordinalAuditStatus resulting from command execution is TRUE. 

736 2. If the command is malformed 

737 a. If the ordinal is unknown, unimplemented, or cannot be determined, no auditing is 

738 performed. 

739 b. If the ordinal is known and audited, but the "above the line" parameters are 

740 malformed and the input parameter digest cannot be determined, use an input digest of 

741 all zeros. 

742 i. Use an output digest of the return code and ordinal. 

743 c. If the ordinal is known and audited, the "above the line" parameters are determined, 

744 but the "below the line" parameters are malformed, use an input digest of the "above the 

745 line" parameters. 

746 i. Use an output digest of the return code and ordinal. 

747 d. Malformed in this context means that, when breaking up a command into its 

748 parameters, there are too few or too many bytes in the command stream. 

749 e. Breaking up a command in this context means only the parsing required to extract 

750 the parameters. 

751 i. E.g., for parameter set comprising a UINT32 size and a BYTE[] array, the BYTE[] 

752 array should not be further parsed. 

753 Actions 

754 The TPM will execute the ordinal and perform auditing in the following manner 

755 1. Map VI to TPM_STANY_DATA 

756 2. Map PI to TPM_PERMANENTJDATA 

757 3. If VI -> auditDigest is NULL 
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758 a. Increment PI -> auditMonotonicCounter by 1 

759 4. Create Al a TPM_AUDIT_EVENT_IN structure 

760 a. Set Al -> inputParms to the digest of the input parameters from the command 

761 i. Digest value according to the HMAC digest rules of the "above the line" 

762 parameters (i.e. the first HMAC digest calculation). 

763 b. Set Al -> auditCount to PI -> auditMonotonicCounter 

764 c. Set VI -> auditDigest to SHA-1 (VI -> auditDigest | | Al) 

765 5. Execute command 

766 a. Execution implies the performance of the listed actions for the ordinal. 

767 6. Create A2 a TPM_AUDIT_EVENT_OUT structure 

768 a. Set A2 -> outputParms to the digest of the output parameters from the command 

769 i. Digest value according to the HMAC digest rules of the "above the line" 

770 parameters (i.e. the first HMAC digest calculation). 

771 b. Set A2 -> auditCount to PI -> auditMonotonicCounter 

772 c. Set VI -> auditDigest to SHA-1 (VI -> auditDigest | | A2) 
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8.2 Effect of audit failing after completion of a command 



[Start of informative comment: 

An operation could complete and then when the TPM attempts to audit the command the 
audit process could have an internal error. 

With one return parameter, The TPM is unable to return both the audit failure and the 
command success or failure results. To indicate the audit failure, the TPM will return one of 
two error codes: TPM_AUDITFAIL_SUCCESSFUL (if the command completed successfully) 
or TPM_AUDITFAIL_UNSUCCESSFUL (if the command completed unsuccessfully) . 

This new functionality changes the 1.1 TPM functionality when this condition occurs. 

End o f informative comment, . _ - ■ '■■ .; : „ : l ... 

1. When after completion of an operation, and in performing the audit process, the TPM 
has an internal failure (unable to write, SHA-1 failure etc.) the TPM MUST set the 
internal TPM state such that the TPM returns the TPM_FAILEDSELFTEST error on 
subsequent attempts to execute a command 

787 2. The return code for the command uses the following rules 

788 a. Command result success, Audit success -> return TPM_SUCCESS 

789 b. Command result failure, Audit success -> return command result failure 

790 c. Command result success, Audit failure -> return TPM_AUDITFAIL_SUCCESSFUL 

791 d. Command result failure, Audit failure -> return TPM_AUDITFAIL_UNSUCCESSFUL 

792 3. If the TPM is permanently nonrecoverable after an audit failure, then the TPM MUST 

793 always return TPM_FAILEDSELFTEST for every command other than 

794 TPM_GetTestResult. This state must persist regardless of power cycling, the execution of 

795 TPM_Init or any other actions. 
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8.3 



TPM_GetAuditDigest 



Start of informative comment: 

This returns the current audit digest. The external audit log has the responsibility to track 
the parameters that constitute the audit digest. 

This value may be unique to an individual TPM. The value however will be changing at a 
Irate set by the TPM Owner. Those attempting to use this value may find it changing without 
their knowledge. This value represents a very poor source of tracking uniqueness. 
(End of informative comment* .,:=■:;.=:■ :? ki.-:.:.yr-- 



Incoming Parameters and Sizes 



PARAM 


HMAC ; 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 1 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


pa ram Size 


Total number of input bytes including paramSize and tag 


3 


4 






TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetAuditDigest j 


4 


4 






UINT32 


startOrdinal 


The starting ordinal for the list of audited ordinals 


Outgoing Parameters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


I # 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


Tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TPM_RESULT 


retumCode 


The return code of the operation. 


5 


10 






TPM_COUNTER_VALUE 


counterValue 


The current value of the audit monotonic counter 


4 


20 






TPM_DIGEST 


auditDigest 


Log of all audited events 


5 


1 






BOOL 


more 


TRUE if the output does not contain a full list of audited ordinals 


5 


4 






UINT32 


ordSize 


Size of the ordinal list in bytes 


6 


o 






UINT32Q 


ordList 


List of ordinals that are audited. 



805 



806 
807 

808 

809 

810 

811 
812 

813 
814 



Description 

1 . This command is never audited. 
Actions 

1 . The TPM sets auditDigest to TPM_STANY_DATA -> auditDigest 

2. The TPM sets counterValue to TPM_PERMANENT_DATA -> auditMonotonicCounter 

3. The TPM creates an ordered list of audited ordinals. The list starts at startOrdinal listing 
each ordinal that is audited. 

a. If startOrdinal is 0 then the first ordinal that could be audited would be TPM_OIAP 
(ordinal OxOOOOOOOA) 
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815 b. The next ordinal would be TPM_OSAP (ordinal OxOOOOOOOB) 

816 4. If the ordered list does not fit in the output buffer the TPM sets more to TRUE 

817 5. Return TPM_STANY_DATA -> auditDigest as auditDigest 
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8.4 



TPM_GetAuditDigestSigned 



824 

825 
826 
827 
828 
829 
830 
831 
832 
833 

834 
835 



Start of informative comment: 

The signing of the audit log returns the entire digest value and the list of currently audited 
commands. 

The inclusion of the list of audited commands as an atomic operation is to tie the current 
digest value with the list of commands that are being audited. 

Note to future architects 

When auditing functionality is active in a TPM, it may seem logical to remove this ordinal 
from the active set of ordinals as the signing . functionality of this command could be 
handled in a signed transport session. While true, this command has a secondary affect 
also, resetting the audit log digest. As the reset: requires TPM Owner authentication, there 
must be some way in this command to reflect the TPM Owner wishes. By requiring that a 
TPM Identity key be the only key that can sign and reset, the TPM Owner's authentication is 
implicit in the execution of the command (TPM Identity Keys are created and controlled by 
the TPM Owner only). Hence, while one might want to remove an ordinal this is not one that 
can be removed if auditing is functional. 

End of informative comment. _ ;_ _ 



Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAGJRQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetAuditDigestSigned 


4 


4 






TPM_KEY_HANDLE 


keyHandle 


The handle of a loaded key that can perform digital signatures. 


5 


1 


2S 


1 


BOOL 


closeAudit 


Indication if audit session should be closed 


6 


20 


3S 


20 


TPMJMONCE 


antiReplay 


A nonce to prevent replay attacks 


7 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for key authentication. 






2H1 


20 


TPM_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


10 


20 






TPM.AUTHDATA 


keyAuth 


Authorization. HMAC key: key.usageAuth. 
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836 Outgoing Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_GetAuditDigestSigned 


4 


10 


3S 


10 


TPM_COUNTER_VALUE 


counterValue 


The value of the audit monotonic counter 


5 


20 


4S 


20 


TPM_DIGEST 


auditDigest 


Log of all audited events 


6 


20 


5S 


20 


TPM.DIGEST 


ordinalDigest 


Digest of all audited ordinals 


7 


4 


6S 


4 


UINT32 


sigSize 


The size of the sig parameter 


8 


o 


7S 


o 


BYTED 


sig 


The signature of the area 


9 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


11 


20 






TPM_AUTHDATA 


resAuth 


Authorization HMAC key: key.usageAuth. 



837 Actions 

838 1. Validate the AuthData and parameters using keyAuth, return TPM_AUTHFAIL on error 

839 2. The TPM validates that the key pointed to by keyHandle has a signature scheme of 

840 TPM_SS_RSASSAPKCS IV 1 5_SHA 1 , return TPM JNVALID_KEYUSAGE on error 

841 3. Create Dl a TPM_SIGN_INFO structure and set the structure defaults 

842 a. Set Dl -> fixed to "ADIG" 

843 b. Set Dl -> replay to antiReplay 

844 c. Create D3 a list of all audited ordinals as defined in the TPM_GetAuditDigest 

845 UINT32[] ordList outgoing parameter 

846 d. Create D4 the SHA- 1 of D3 

847 e. Set auditDigest to TPM_STANY_DATA -> auditDigest 

848 f. Set counterValue to TPM_PERMANENT_DATA -> auditMonotonicCounter 

849 g. Create D2 the concatenation of auditDigest | | counterValue | | D4 

850 h. Set Dl -> data to D2 

851 i. Create a digital signature of the SHA-1 of Dl by using the signature scheme for 

852 keyHandle 

853 j. Set ordinalDigest to D4 

854 4. If closeAudit == TRUE 

855 a. If keyHandle ->keyUsage is TPM_KEY_IDENTITY 

856 i. TPM_STANY_DATA -> auditDigest MUST be set to NULLS. 
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857 b. Else 

858 i. Return TPMJNVALID_KEYUSAGE 
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859 8,5 TPM SetOrdinalAuditStatus 



860 Start of informative coxnment: 




■-■<•--■■<■'- -- ' ■ 

ation of the TPM Ownfer. 


861 |Set the audit flag for a given ordinal. I 


Requires the authentic 


862 j End of informative comment. 







863 incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_SetOrdinalAuditStatus 


4 


4 


2S 


4 


TPM_C0MMAND_C0DE 


ordinalTo Audit 


The ordinal whose audit flag is to be set 


5 


1 


3S 


1 


BOOL 


audits tate 


Value for audit flag 


6 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


9 


20 






TPM_AUTHDATA 


ownerAuth 


HMAC key: ownerAuth. 


Outgoing Parameters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH 1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes inc luding paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SetOrdinalAuditStatus 


4 


20 


2H1 


20 ! 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth. 



865 Actions 

866 1 . Validate the AuthData to execute the command and the parameters 

867 2. Validate that the ordinal points to a valid TPM ordinal, return TPM„BADINDEX on error 

868 a. Valid TPM ordinal means an ordinal that the TPM implementation supports 

869 3. Set the non-volatile flag associated with ordinalToAudit to the value in auditState 
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370 9. Administrative Functions - Management 
871 9.1 TPM_FieldUpgrade 



872 start of informative comment: 

873 The TPM needs a mechanism to allow for updating the protected capabilities once a TPM is 

874 |in the field. Given the varied nature of TPM implementations there will be numerous 

875 [methods of performing an upgrade of the protected capabilities. This command, when 

876 (implemented, provides a manufacturer specific method of performing the upgrade. 

877 <The manufacturer can determine, within the listed requirements, how to implement this 

878 j command. The command may be more than one command and actually a series of 

879 [commands. : j 

880 The IDL definition is to create an ordinal for the command, however the remaining 

881 parameters are manufacturer specific. 

882 The policy to determine when it is necessary to perform the actions of TPM_RevokeTrust is 

883 outside the TPM spec and determined by other TCG workgroups. 

884 End of informative comment. .-_ 

885 IDL Definition 

886 TPM_RESULT TPM_FieldUpgrade ( 

887 [in, out] TPM_AUTH* ownerAuth, 

888 ...) ; 



889 Type 

890 This is an optional command and a TPM is not required to implement this command in any 

891 form. 



892 Parameters 



Type 


Name 


Description 


TPM_AUTH 


ownerAuth 


Authentication from TPM owner to execute command 






Remaining parameters are manufacturer specific 



893 Descriptions 

894 The upgrade mechanisms in the TPM MUST not require the TPM to hold a global secret. The 

895 definition of global secret is a secret value shared by more than one TPM. 

896 The TPME is not allowed to pre -store or use unique identifiers in the TPM for the purpose of 

897 field upgrade. The TPM MUST NOT use the endorsement key for identification or encryption 

898 in the upgrade process. The upgrade process MAY use a TPM Identity to deliver upgrade 

899 information to specific TPM's. 

900 The upgrade process can only change protected capabilities. 

901 The upgrade process can only access data in shielded locations where this data is necessary 

902 to validate the TPM Owner, validate the TPME and manipulate the blob 
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903 The TPM MUST be conformant to the TPM specification, protection profiles and security 

904 targets after the upgrade. The upgrade MAY NOT decrease the security values from the 

905 original security target. 

906 The security target used to evaluate this TPM MUST include this command in the TOE. 

907 When a field upgrade occurs, it is always sufficient to put the TPM into the same state as a 

908 successfully executed TPM_RevokeTrust. 

909 Actions 

910 The TPM SHALL perform the following when executing the command: 

911 1. Validate the TPM Owners AuthData to execute the command 

912 2. Validate that the upgrade information was sent by the TPME. The validation mechanism 

913 MUST use a strength of function that is at least the same strength of function as a 

914 digital signature performed using a 2048 bit RSA key. 

915 3. Validate that the upgrade target is the appropriate TPM model and version. 

916 4. Process the upgrade information and update the protected capabilities 

917 5. Set the TPM_PERMANENT_DATA.revMajor and TPM_PERMANENT_DATA. revMinor to the 

918 values indicated in the upgrade. The selection of the value is a manufacturer option. The 

919 values MUST be monotonically increasing. Installing an upgrade with a major and minor 

920 revision that is less than currently installed in the TPM is a valid operation. 

92 1 6. Set the TPM_STCLEAR_FLAGS. deactivated to TRUE 
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922 

923 

924 

925 
926 

927 
928 



9.2 TPM SetRedirection 




Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_SetRedirection 


4 


4 






TPM_KEY_HANDLE 


keyHandle 


The keyHandle identifier of a loaded key that can implement redirection. 


5 


4 


2S 


4 


TPM_REDIR_COMMAND 


redirCmd 


The command to execute 


6 


4 


3S 


4 


UINT32 


inputDataSize 


The size of the input data 


7 


o 


4S 


<> 


BYTE 


inputData 


Manufacturer parameter 


8 


4 






TPM.AUTHHANDLE 


authMandle 


The authorization session handle used for keyHandle authorization 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


9 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


11 


20 






TPM_AUTHDATA 


ownerAuth 


HMAC key ownerAuth 


On 


itgo 


ing C 


>per 


ands and Sizes 


PARAM 


| HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


| 4 


TPMJtESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SetRedirection 


4 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
key.usageAuth 



930 

931 
932 



Action 

1 . If tag == TPM_TAG_REQ_AUTH l_COMMAND 
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933 a. Validate the command and parameters using TPM Owner authentication, on error 

934 return TPM_AUTHFAIL 

935 2. if redirCmd == TPM_REDIR_GPIO 

936 a. Validate that keyHandle points to a loaded key, return TPM_INVALID_KEYHANDLE 

937 on error 

938 b. Validate the key attributes specify redirection, return TPM_BAD_TYPE on error 

939 c. Validate that inputDataSize is 4, return TPM_BAD_PARAM_SIZE on error 

940 d. Validate that inputData points to a valid GPIO channel, return 

941 TPM_BAD_PARAMETER on error 

942 e. Map CI to the TPM_GPIO_CONFIG_CHANNEL structure indicated by inputData 

943 f. If CI -> attr specifies TPM_GPIO_ATTR_OWNER 

944 i. If tag != TPM_TAG_REQ_AUTH l_COMMAND return TPM_AUTHFAIL 

945 g. If CI -> attr specifies TPM_GPIO_ATTR_PP 

946 i. If TPM_STCLEAR_FLAGS -> physicalPresence == FALSE, then return 

947 TPM_BAD_PRESENCE 

948 h. Return TPM.SUCCESS 

949 3. The TPM MAY support other redirection types. These types may be specified by TCG or 

950 provided by the manufacturer. 
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951 

952 

953 

954 
955 
956 
957 

958 
959 
960 

961 
962 

963 
964 



9.3 TPM ResetLockValue 



Informative comment 

i Command that resets the TPM dictionary attack mitigation values 

(This allows the TPM owner to cancel the effect of a number of successive authorization 
failures. Dictionary attack mitigation is vendor specific, and the actions here are one 
possible implementation. The TPM may treat an authorization failure outside the mitigation 
time as a normal failure and not disable the command. 

If this command itself has an authorization fedlure, it is blocked for the remainder of the 
lock out period. This prevents a dictionary attack on the owner authorization using this 
command. i - : v ;::^ ''■ :: '- : r ;; - : ^;;:; ; :? '-- < - - :: p - f$ 

It is understood that this command allows the TPM owner to perform a dictionary attack on 

other authorization values by alternating a trial and this command. 

End of informative comments * ■^ ■.■.^■■wy. • - : ■ - : ■ 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_AUTH 1 _C0MMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM„ORD_ResetLockValue 


4 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for TPM Owner authorization 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


5 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


7 


20 






TPM.AUTHDATA 


ownerAuth 


HMAC key TPM Owner auth 


Oil 


tgo 


ing C 


)perands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


| # 


SZ 




1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH 1 _COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM.COMMANDCODE 


ordinal 


Command ordinal: TPM_ORD_ResetLockValue 


4 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM.AUTHDATA 


resAuth 


HMAC key: TPM Owner auth 



965 
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966 Action 

967 1. If TPM_STCLEAR_DATA -> disableResetLock is TRUE return TPM_AUTHFAIL 

968 a. The internal dictionary attack mechanism will set TPM_STCLEAR_DATA -> 

969 disableResetLock to FALSE when the timeout period expires 

970 2. If the command and parameters validation using owner Auth fails 

971 a. Set TPM_STCLEAR_DATA -> disableResetLock to TRUE 

972 b. Restart the TPM dictionary attack lock out period 

973 c. Return TPM_AUTHFAIL 

974 3. Reset the internal TPM dictionary attack mitigation mechanism 

975 a. The mechanism is vendor specific and can include time outs, reboots, and other 

976 mitigation strategies 
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977 10. Storage functions 



10.1 TPM Seal 



Start off informative comment: 

The SEAL operation allows software to explicitly state the future "trusted" configuration that 
jthe platform must be in foir the secret to be revealed. The SEAL operation also implicitly 
| includes the relevant platform configuration (PCR-values) when the SEAL operation was 
^performed. The SEAL operation uses the tpmProof value to BIND the blob to an individual 
iTPM. ^ v < 

If the UNSEAL operation succeeds, proof of the platform configuration that was in effect 
when the SEAL operation was performed is returned to the caller, as well as the secret data. 
This proof may, or may not, be of interest. If the SEALed secret is used to authenticate the 
platform to a third party, a caller is normally unconcerned about the state of the platform 
when the secret was SEALed, .and the proof may be of no interest. On the other hand, if the 
SEALed secret is used to authenticate a third party to the platform, a caller is normally 
concerned about the state of the platform when the secret was SEALed. Then the proof is of 
interest. 

For example, if SEAL is used to store a secret key for a future configuration (probably to 
prove that the platform is a particular platform that is in a particular configuration), the 
only requirement is that that key can be used only when the platform is in that future 
configuration. Then there is no interest in the platform configuration when the secret key 
was SEALed. An example of this case is when SEAL is used to store a network 
authentication key. 

On the other hand, suppose an OS contains an encrypted database of users allowed to log 
on to the platform. The OS uses a SEALED blob to store the encryption key for the user- 
database. However, the nature of SEAL is that any SW stack can SEAL a blob for any other 
[software stack. Hence the OS can be attacked by a second OS replacing both the SEALED - 
Iblob encryption key, and the user database itself, allowing untrusted parties access to the 
services of the OS. To thwart such attacks, SEALED blobs include the past SW 
configuration. Hence, if the OS is concerned about such attacks, it may check to see 
whether the past configuration is one that is known to be trusted. 

TPM_Seal requires the encryption of one parameter ("Secret w ). For the sake of uniformity 
with other commands that require the encryption of more than one parameter, the string 
used for XOR encryption is generated by concatenating a nonce (created during the OSAP 
| session) with the session shared secret and then hashing the result. 

Oil |End of informative comment, - ' ' ' " - : - .;' „ 
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012 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG„RQU_AUTH 1_COMMAND 


2 


4 






UINT32 


pa ram Size 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_Seal. 


4 


4 






TPM_KEY_HANDLE 


keyHandle 


Handle of a loaded key that can perform seal operations. 


5 


20 


2S 


20 


TPM_ENCAUTH 


encAuth 


The encrypted AutnData for the sealed data. The encryption key is tne 
shared secret from the OSAP protocol. 


6 


4 


3S 


4 


UINT32 


pcrlnfoSize 


The size of the pcrinfo parameter. If 0 there are no PCR registers in use 


7 


o 


4S 


<> 


TPM PCR INFO 


nrrlnfn 


The PCR selection information. The caller MAY use 
TPM_PCRJNFO_LONG. 


8 


4 


5S 


4 


UINT32 


inDataSize 


The size of the inData parameter 


9 


<> 


6S 


<> 


BYTE[] 


inData 


The data to be sealed to the platform and any specified PCRs 


10 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for keyHandle authorization. 
Must be an OSAP session for this command. 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


11 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


12 


1 


4H1 


1 


BOOL 


continueAuthSession 


Ignored 


13 


20 






TPM.AUTHDATA 


pubAuth 


The authorization session digest for inputs and keyHandle. HMAC key: 
key.usageAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_Seal. 


4 


<> 


3S 


<> 


TPM_STORED_DATA 


sealedData 


Encrypted, integrity -protected data object that is the result of the 
TPM.Seal operation. 


5 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed value of FALSE 


7 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
key.usageAuth. 



014 Descriptions 

015 TPM^Seal is used to encrypt private objects that can only be decrypted using TPM_Unseal. 

016 Actions 

017 1. Validate the authorization to use the key pointed to by keyHandle 
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018 2. If the inDataSize is 0 the TPM returns TPM_BAD_PARAMETER 

019 3. If the keyUsage field of the key indicated by keyHandle does not have the value 

020 TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE . 

021 4. If the keyHandle points to a migratable key then the TPM MUST return the error code 

022 TPM_INVALID_KEY_USAGE . 

023 5. Determine the version of pcrlnfo 

024 a. If pcrlnfoSize is 0 

025 i. set VI to 1 

026 b. Else 

027 i. Point XI as TPMJ>CR_INFO_JLONG structure to pcrlnfo 

028 ii. If XI -> tag is TPM_TAG__PCR_INFO_LONG 

029 (1) Set VI to 2 

030 iii. Else 

031 (1) Set VI to 1 

032 6. If VI is 1 then 

033 a. Create SI a TPM_STORED_DATA structure 

034 7. else 

035 a. Create SI a TPM_STORED_DATA 1 2 structure 

036 b. Set SI -> et to NULL 

037 8. Set si -> encDataSize to 0 

038 9. Set si -> encData to NULL 

039 10. Set si -> seallnfoSize to pcrlnfoSize 

040 1 1 .If pcrlnfoSize is not 0 then 

041 a. if VI is 1 then 

042 i. Validate pcrlnfo as a valid TPM_PCRJNFO structure, return TPM_BADINDEX on 

043 error 

044 ii. Set si -> seallnfo -> pcrSelection to pcrlnfo -> pcrSelection 

045 iii. Create hi the composite hash of the PCR selected by pcrlnfo -> pcrSelection 

046 iv. Set si -> seallnfo -> digestAtCreation to hi 

047 v. Set s 1 -> seallnfo -> digestAtRelease to pcrlnfo -> digestAtRelease 

048 b. else 

049 i. Validate pcrlnfo as a valid TPM_PCR_INFO_LONG structure, return 

050 TPM_BADINDEX on error 

051 ii. Set si -> seallnfo -> creationPCRSelection to pcrlnfo -> creationPCRSelection 

052 iii. Set si -> seallnfo -> releasePCRSelection to pcrlnfo -> releasePCRSelection 



60 



TCG Published 



Level 2 Revision 94 29 March 2006 Draft 



TPM Main Part 3 Commands TCG © Copyright 

Specification Version 1 .2 

053 iv. Set si -> seallnfo -> digestAtRelease to pcrlnfo -> digestAtRelease 

054 v. Set si -> seallnfo -> localityAtRelease to pcrlnfo -> localityAtRelease 

055 vi. Create h2 the composite hash of the TPM_STCLEARJ3ATA -> PCR selected by 

056 pcrlnfo -> creationPCRSelection 

057 vii. Set si -> seallnfo -> digestAtCreation to h2 

058 viii. Set si -> seallnfo -> localityAtCreation to TPM_STANY_FLAGS -> 

059 localityModifier 

060 12. If authHandle indicates XOR encryption for the AuthData secrets 

061 a. Create XI the SHA-1 of the concatenation of (authHandle -> sharedSecret | | 

062 authLastNonceEven) 

063 b. Create al by XOR XI and encAuth 

064 13. Else 

065 a. Create al by decrypting encAuth using the algorithm indicated in the OSAP session 

066 b. Key is from authHandle -> sharedSecret 

067 c. IV is SHA-1 of (authLastNonceEven | | nonceOdd) 

068 14. The TPM provides NO validation of al. Well-known values (like NULLS) are valid and 

069 possible. 

070 15. Create s2 a TPM_SEALED_DATA structure 

071 a. Set s2 -> payload to TPM_PT_SEAL 

072 b. Set s2 -> tpmProof to TPM_PERMANENTJDATA -> tpmProof 

073 c. Create h3 the SHA-1 of si 

074 d. Set s2 -> storedDigest to h3 

075 e. Set s2 -> authData to al 

076 f. Set s2 -> dataSize to inDataSize 

077 g. Set s2 -> data to inData 

078 16. Validate that the size of s2 can be encrypted by the key pointed to by keyHandle, return 

079 TPM_BAD_DATASIZE on error 

080 17. Create s3 the encryption of s2 using the key pointed to by keyHandle 

081 18. Set continueAuthSession to FALSE 

082 19. Set si -> encDataSize to the size of s3 

083 20. Set si -> encData to s3 

084 2 1 . Return s 1 as sealedData 
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085 

086 

087 
088 
089 
090 
091 
092 
093 

094 
095 

096 
097 



10.2 TPM Unseal 



71 



Start of informative comment : 



|The TPM_Unseal operation will reveal TPM_SeaTed data only if it was encrypte d on this 
[platform and the current configuration (as defined by the named PGR contents) is the one 
named as qualified to decrypt it. Internally, TPM_Unseal accepts a data blob generated by a 
TPM_Seal operation. TPM_Unseal decrypts the structure internally, checks the integrity of 
the resulting data, and checks that the PCR named has the value named during TPM_Seal. 
Additionally, the caller must supply appropriate AuthData for blob and for the key that was 
used to seal that data. 

If the integrity, platfo^ and authorization checks succeed, the sealed data is 

.returned to the caller; otherwise, an error is generated. 

End of informative c omment. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH2_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal \ 


Command ordinal: TPM_0RD_Unseal. 


4 


4 






TPM_KEY_HANDLE 


parentHandle 


Handle of a loaded key that can unseal the data. 


5 


o 


2S 


o 


TPM_ST0RED_DATA 


inData 


The encrypted data generated by TPM_Seal. 


6 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for parentHandle. 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


9 


20 






TPM_AUTHDATA 


parentAuth 


The authorization session digest for inputs and parentHandle. HMAC 
key: parentKey.usageAuth. 


10 


4 






TPM_AUTH HANDLE 


dataAuthHandte 


The authorization session handle used to authorize inData. 






2H2 


20 


TPM.N0NCE 


dataLastNonceEven 


Even nonce previously generated by TPM 


11 


20 


3H2 


20 


TPM_N0NCE 


datanonceOdd 


Nonce generated by system associated with entityAuthHandle 


12 


1 


4H2 


1 


BOOL 


continueDataSession 


Continue usage flag for dataAuthHandle. 


13 


20 






TPM.AUTHDATA 


dataAuth 


The authorization session digest for the encrypted entity. HMAC key: 
entity.usageAuth. 
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098 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH2_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMANDCODE 


ordinal 


Command ordinat TPM_ORD__Unseal. 


4 


4 


3S 


4 


UINT32 


secrets ize 


The used size of the output area for secret 


5 


o 


4S 


o 


BYTE[] 


secret 


Decrypted data that had been sealed 


c 
o 




tn 1 


on 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC 
key: parentKey.usageAuth. 


9 


20 


2H2 


20 


TPM_N0NCE 


dataNonceEven 


Even nonce newly generated by TPM. 






3H2 


20 


TPM.NONCE 


datanonceOdd 


Nonce generated by system associated with dataAuthHandle 


10 


1 


4H2 


1 


BOOL 


continueDataSession 


Continue use flag, TRUE if handle is still active 


11 


20 






TPM_AUTHDATA 


dataAuth 


The authorization session digest used for the dataAuth session. HMAC 
key: entity.usageAuth. 



099 Actions 

100 1. The TPM MUST validate that parentAuth authorizes the use of the key in parentHandle, 

101 on error return TPM_AUTHFAIL 

102 2. If the keyUsage field of the key indicated by parentHandle does not have the value 

103 TPM_KEY_STORAGE, the TPM MUST return the error code TPM_INVALID_KEYUSAGE. 

104 3. The TPM MUST check that the TPM_KEY_FLAGS -> Migratable flag has the value FALSE 

105 in the key indicated by parentHandle. If not, the TPM MUST return the error code 

106 TPM_INVALID_KEYUSAGE 

107 4. Determine the version of inData . 

108 a. If inData -> tag = TPM_TAG_STORED_DATA12 

109 i. Set VI to 2 

110 ii. Map S2 a TPM_STORED_DATA 1 2 structure to inData 

111 b. Else If inData -> ver = 1.1 

112 i. Set VI to 1 

113 ii. Map S2 a TPM_STORED_DATA structure to inData 

114 c. Else 

115 i. Return TPM_BAD_VERSION 

116 5. Create dl by decrypting S2 -> encData using the key pointed to by parentHandle 
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117 6. Validate dl 

1 18 a. dl MUST be a TPMJ3EALEDJ3ATA structure 

1 19 b. dl -> tpmProof MUST match TPM_PERMANENT_DATA -> tprriProof 

120 c. Set S2 -> encDataSize to 0 

121 d. Set S2 -> encData to NULL 

122 e . Create h 1 the SHA- 1 of inData 

123 f. dl -> storedDigest MUST match hi 

124 g. dl -> payload MUST be TPM_PT_SEAL 

125 h. Any failure MUST return TPM_NOTSEALED_BLOB 

126 7. The TPM MUST validate authorization to use dl by checking that the HMAC calculation 

127 using dl -> authData as the shared secret matches the dataAuth. Return 

128 TPM_AUTHFAIL on mismatch. 

129 8. If S2 -> seallnfoSize is not 0 then 

130 a. If VI is 1 then 

131 i. Validate that S2 -> pcrlnfo is a valid TPM_PCR_INFO structure 

132 ii. Create h2 the composite hash of the PCR selected by S2 -> pcrlnfo -> pcrSelection 

133 b. If VI is 2 then 

134 i. Validate that S2 -> pcrlnfo is a valid TPM_PCRJNFCMX>NG structure 

135 ii. Create h2 the composite hash of the TPM_STCLEARJDATA -> PCR selected by S2 

136 -> pcrlnfo -> releasePCRSelection 

137 iii. Check that S2 -> pcrlnfo -> localityAtRelease for TPM_STANY_DATA -> 

138 localityModifier is TRUE 

139 (1) For example if TPM_STANY_DATA -> localityModifier was 2 then S2 -> pcrlnfo 

140 -> localityAtRelease -> TPM_LOC_TWO would have to be TRUE 

141 c. Compare h2 with S2 -> pcrlnfo -> digestAtRelease, on mismatch return 

142 TPM_WRONGPCRVAL 

143 9. If VI is 2 and inData -> et specifies encryption (i.e. is not NULL) then 

144 a . If tag is not TPM_TAG_RQU_AUTH2_COMM AND , return TPM__AUTHFAIL 

145 b. Verify that the authHandle session type is TPM_PID__OSAP, return TPM_BAD_MODE 

146 on error. 

147 c. If inData -> et is TPM_ET_XOR 

148 i. Use MGF1 to create string XI of length sealedDataSize. The inputs to MGF1 are; 

149 authLastnonceEven, nonceOdd, "XOR", and authHandle -> sharedSecret. The 

150 four concatenated values form the Z value that is the seed for MFG1. 

151 ii. Create ol by XOR of dl -> data and XI 

152 d. Else 

153 i. Create ol by encrypting dl -> data using the algorithm indicated by inData -> et 
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154 ii. Key is from authHandle -> sharedSecret 

155 iii. IV is SHA-1 of (authLastNonceEven | | nonceOdd) 

156 e. Set continueAuthSession to FALSE 

157 10. else 

158 a. Set ol to dl -> data 

1 59 11. Set the return secret as o 1 

1 60 12. Return TPM.SUCCESS 
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161 


10.3 TPMJJnBind 


162 


Start of informative comment: 


163 
164 
165 


TPM_UnBind takes the data blob that is the result of a TspLData_Bind command and 
decrypts it for export to the User, The caller must authorize the use of the key that will 
decrypt the incoming blob. 


166 
167 


TPM_UnBind operates on a block-by-block basis , and has, no notion of any relation between 
one block and another. ^ 


168 


End of informative comment. 


169 


Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1 _COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPfVLORDJJnBind. 


4 


4 






TPM_KEY_HANDLE 


keyHandle 


The keyHandle identifier of a loaded key that can perform UnBind 
operations. 


5 


4 


2S 


4 


UINT32 


inDataSize 


The size of the input blob 


6 


<> 


3S 


<> 


BYTE[] 


inData 


Encrypted blob to be decrypted 


7 


4 






TPM_AUTHHANDLE 


authHandle 


The handle used for keyHandle authorization 






2H1 


20 


TPMJMONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSesston 


The continue use flag for the authorization session handle 


10 


20 






TPM.AUTHDATA 


privAuth 


The authorization session digest that authorizes the inputs and use of 
keyHandle. HMAC key: key.usageAuth. 
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170 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


! is 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_UnBind 


4 


4 


3S 


4 


UINT32 


outDataSize 


The length of the returned decrypted data 


5 


o 


4S 


o 


BYTE[] 


outData 


The resulting decrypted data. 


6 


20 


2H1 


20 


TPM.N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 1 


nonceOdd 


Nonce generated by system associated with authHandle 


i 7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
key.usageAuth. 



171 Description 

172 TPM_UnBind SHALL operate on a single block only. 

173 Actions 

174 The TPM SHALL perform the following: 

175 1 . If the inDataSize is O the TPM returns TPM_BAD_PARAMETER 

176 2. Validate the AuthData to use the key pointed to by keyHandle 

177 3. If the keyUsage field of the key referenced by keyHandle does not have the value 

178 TPM_KEY__BIND or TPM_KEY_LEGACY, the TPM must return the error code 

1 79 TPM_INVALID_KEYUSAGE 

180 4. Decrypt the inData using the key pointed to by keyHandle 

181 5. if (keyHandle -> encScheme does not equal TPM_ES_RSAESOAEP_SHAl_MGFl) and 

182 (keyHandle -> keyUsage equals TPM_JCEY_LEGACY), 

183 a. The payload does not have TPM specific markers to validate, so no consistency check 

184 can be performed. 

185 b. Set the output parameter outData to the value of the decrypted value of inData. 

186 (Padding associated with the encryption wrapping of inData SHALL NOT be returned.) 

187 c. Set the output parameter outDataSize to the size of outData, as deduced from the 

188 decryption process. 

189 6. else 

190 a. Interpret the decrypted data under the assumption that it is a TPM_BOUND_DATA 

19 1 structure, and validate that the payload type is TPM__PT_BIND 
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192 b. Set the output parameter outData to the value of TPM_BOUNDJDATA -> 

193 payloadData. (Other parameters of TPM_BOUND_DATA SHALL NOT be returned. 

194 Padding associated with the encryption wrapping of inData SHALL NOT be returned.) 

195 c. Set the output parameter outDataSize to the size of outData, as deduced from the 

196 decryption process and the interpretation of TPM _BOUND_DATA. 

197 7. Return the output parameters. 



68 



TCG Published 



Level 2 Revision 94 29 March 2006 Draft 



TPM Main Part 3 Commands 
Specification Version 1 .2 



TCG © Copyright 



198 

199 

200 
201 

202 
203 

204 
205 



10.4 TPM_CreateWrapKey 



Start of informative comment: 

The TPM_CreateWrapKey command both generates and creates a secure storage bundle for 
asymmetric keys. 

The newly created key can be locked to a specific PCR value by specifying a set of PCR 
registers. ' ,; /V/.; >- : r , ; . : f ■ % 1 - ; ^^^^fl*^^^^^ 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH 1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CreateWrapKey 


4 


4 






TPM_KEY_HANDLE 


parentHandle 


Handle of a loaded key that can perform key wrapping. 


5 


20 


2S 


20 


TPM_ENCAUTH 


dataUsageAuth 


Encrypted usage AuthData for the sealed data. 


6 


20 


3S 


20 


TPM_ENCAUTH 


dataMigrationAuth 


Encrypted migration AuthData for the sealed data. 


7 


o 


4S 


<> 


TPM.KEY 


keylnfo 


Information about key to be created, pubkey.keyLength and 
keylnfo.encData elements are 0. MAY be TPM.KEY12 


8 


4 






TPM_AUTH HANDLE 


authHandle 


parent key authorization. Must be an OSAP session. 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


9 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4H1 


1 


BOOL 


continueAuthSession 


Ignored 


11 


20 






TPM.AUTHDATA 


pubAuth 


Authorization HMAC key: parentKey.usageAuth. 


Ov 


itgo 


ing C 


)per 


ands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


I # 


SZ 


# 


SZ 










1 


2 






TPMJTAG 


tag 


TPM JTAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CreateWrapKey 


4 


o 


4S 


<> 


TPM.KEY 


wrappedKey 


The TPM KEY structure which includes the public and encrypted private 
key . MAY be TPMJ<EY12 


5 


20 


2H1 


20 


TPMJMONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed at FALSE 


7 


20 






TPM_AUTHDATA 


resAuth 


Authorization HMAC key: parentKey.usageAuth. 
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207 Actions 

208 The TPM SHALL do the following: 

209 1. Validate the AuthData to use the key pointed to by parentHandle. Return 

210 TPM_AUTHFAIL on any error. 

211 2. Validate the session type for parentHandle is OSAP. 

212 3. If the TPM is not designed to create a key of the type requested in keylnfo, return the 

2 1 3 error code TPM_BAD_KEY_PROPERTY 

214 4. Verify that parentHandle->keyUsage equals TPM_KEY_STORAGE 

215 5. If parentHandle -> keyFlags -> migratable is TRUE and keylnfo -> keyFlags -> migratable 

216 is FALSE then return TPM_INVALID_KEYUSAGE 

217 6. Validate key parameters 

218 a. keylnfo -> keyUsage MUST NOT be TPM_KEY_IDENTITY or 

2 19 TPM_KEY_AUTHCHANGE. If it is, return TPM_INVALID_KEYUSAGE 

220 b. If keylnfo -> keyFlags -> migrateAuthority is TRUE then return 

221 TPM_INVALID_KEYUSAGE 

222 7. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then 

223 a. If keylnfo -> keySize is less than 1024 return TPM_NOTFIPS 

224 b. If keylnfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS 

225 c. If keylnfo -> keyUsage specifies TPM_KEY_LEGACY return TPM.NOTFIPS 

226 8. If keylnfo -> keyUsage equals TPM_KEY_STORAGE or TPM_KEY_MIGRATE 

227 i. algorithmID MUST be TPM_ALG_RSA 

228 ii. encScheme MUST be TPM_ES_RSAESOAEP_SHAl_MGFl 

229 iii. sigScheme MUST be TPM_SS_NONE 

230 iv. key size MUST be 2048 

231 9. Determine the version of key 

232 a. If keylnfo -> ver is 1.1 

233 i. Set VI to 1 

234 ii. Map wrappedKey to a TPM_KEY structure 

235 iii. Validate all remaining TPM_KEY structures 

236 b. Else if keylnfo -> tag is TPM_TAG_KEY 1 2 

237 i. Set VI to 2 

238 ii. Map wrappedKey to a TPM_KEY12 structure 

239 iii. Validate all remaining TPM_KEY12 structures 

240 1 0. If authHandle indicates XOR encryption for the AuthData secrets 
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241 a. Create XI the SHA-1 of the concatenation of (authHandle -> sharedSecret j| 

2 42 authLastNonceEven) 

243 b. Create X2 the SHA-1 of the concatenation of (authHandle ->' sharedSecret | | 

244 nonceOdd) 

245 c. Create DU 1 the XOR of dataUsageAuth and XI 

246 d. Create DM1 the XOR of dataMigrationAuth and X2 

247 11. Else 

248 a. Decrypt dataUsageAuth and dataMigrationAuth using the algorithm indicated in the 

249 OSAP session 

250 i. Create DU1 from dataUsageAuth 

251 ii. Create DM1 from dataMigrationAuth 

252 b. Key is from authHandle -> sharedSecret 

253 c. IV is SHA-1 of (authLastNonceEven | | nonceOdd) 

254 1 2 . Set continueAuthSession to FALSE 

255 13. Generate asymmetric key according to algorithm information in keylnfo 

256 14. Fill in the wrappedKey structure with information from the newly generated key. 

257 a. Set wrappedKey -> encData -> usageAuth to DU 1 

258 b. If the KeyFlags -> migratable bit is set to 1, the wrappedKey -> encData -> 

259 migrationAuth SHALL contain the decrypted value from DataMigrationAuth. 

260 c. If the KeyFlags -> migratable bit is set to 0, the wrappedKey -> encData -> 

261 migrationAuth SHALL be set to the value tpmProof 

262 1 5. If keylnfo- >PCRInfoSize is non-zero 

263 a. If VI is 1 

264 i. Set wrappedKey -> pcrlnfo to a TPM_PCR_INFO structure using the pcrSelection 

265 to indicate the PCR's in use 

266 b. Else 

267 i. Set wrappedKey -> pcrlnfo to a TPM_PCRJNFO„LONG structure 

268 c. Set digestAtCreation to the TPM_COMPOSITE_HASH indicated by 

269 creationPCRSelection 

270 d. If VI is 2 set localityAtCreation to TPM_STANY_DATA -> locality 

271 16. Encrypt the private portions of the wrappedKey structure using the key in parentHandle 

272 17. Return the newly generated key in the wrappedKey parameter 
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273 
274 

275 
276 
277 

278 
279 
280 
281 

282 
283 
284 

285 
286 

287 
288 
289 
290 
291 
292 
293 
294 

295 
296 
297 
298 
299 
300 
301 
302 
303 



10.5 TPM_LoadKey2 



Start of informative comment: 



Before the TPM can use a key to either wrap, unwrap, bind, unbind, seal, unseal, sign or 
perform any other action, it needs to be present in the TPM. The TPM_LoadKey2 function 
loads the key into the TPM for further use. 

The TPM assigns the key handle. The TPM always locates a loaded key by use of the handle. 
The assumption is that the handle may change due to key management operations. It is the 
(responsibility of upper level software to maintain the mapping between handle and any 
ilabel used by external software. 

This command has the responsibility of enforcing restrictions on the use of keys. For 
example, when attempting to load a STORAGE key it will be checked for the restrictions on 
a storage key (2048 size etc.). V-\t'-\ 

The load command must maintain a record of whether any previous key in the key 
hierarchy was bound to a PCR using parentPCRStatus . 

The flag parentPCRStatus enables the possibility of checking that a platform passed 
through some particular state or states before finishing in the current state. A grandparent 
key could be linked to state- 1, a parent key could linked to state -2, and a child key could be 
linked to state-3, for example. The use of the child key then indicates that the platform 
passed through states 1 and 2 and is currently in state 3, in this example. TPM_Startup 
with stType == TPM_ST_CLEAR indicates that the platform has been reset, so the platform 
has not passed through the previous states. Hence keys with parentPCRStatus==TRUE 
must be unloaded if TPM_Startup is issued with stType == TPM_ST_CLEAR. 

If a TPM_KEY structure has been decrypted AND the integrity test using "pubDataDigest" 
has passed AND the key is non- migratory, the key must have been created by the TPM. So 
there is every reason to believe that the key poses no security threat to the TPM. While there 
is no known attack from a rogue migratory key, there is a desire to verify that a loaded 
migratory key is a real key, arising from a general sense of unease about execution of 
arbitrary data as a key. Ideally a consistency check would consist of an encrypt/decrypt , 
cycle, but this may be expensive. For RSA keys, it is therefore suggested that the' 
consistency test consists of dividing the supposed RSA product by the supposed RSA prime, 
and checking that there is no remainder. 



304 End of informative comment. 
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305 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_AUTH 1 _COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_LoadKey 2. 


4 


4 






TPM_KEY_HANDLE 


parentHandle 


TPM handle of parent key. 


5 


<> 


2S 


<> 


TPM.KEY 


inKey 


Incoming key structure, both encrypted private and clear public portions. 
MAY be TPM_KEY12 


6 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for parentHandle authorization. 






2H1 


20 


TPM_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


9 


20 






TPM _AUTHDATA 


parentAuth 


The authorization session digest for inputs and parentHandle. HMAC 
key: parentKey.usageAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP J\UTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORDJ_oadKey 2 


4 


4 






TPM_KEY_HANDLE 


inkeyHandle 


Internal TPM handle where decrypted key was loaded. 


5 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TPM _AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
parentKey.usageAuth. 



307 Actions 

308 The TPM SHALL perform the following steps: 

309 1. Validate the command and the parameters using parentAuth and parentHandle -> 

310 usage Auth 

311 2. If parentHandle -> keyUsage is NOT TPM_KEY_STORAGE return 

312 TPM JNVALID_KEYUSAGE 

313 3. If the TPM is not designed to operate on a key of the type specified by inKey, return the 

3 14 error code TPM_BAD_KEY_PROPERTY 

315 4. The TPM MUST handle both TPM_KEY and TPM_KEY12 structures 

316 5. Decrypt the inKey -> privkey to obtain TPM_STORE_ASYMKEY structure using the key 

317 in parentHandle 
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318 6. Validate the integrity of inKey and decrypted TPM_STORE_ASYMKEY 

319 a. Reproduce inKey -> TPM_STORE_ASYMKEY -> pubDataDigest using the fields of 

320 inKey, and check that the reproduced value is the same as pubDataDigest 

32 1 7. Validate the consistency of the key and it's key usage. 

322 a. If inKey -> keyFlags -> migratable is TRUE, the TPM SHALL verify consistency of the 

323 public and private components of the asymmetric key pair. If inKey -> keyFlags -> 

324 migratable is FALSE, the TPM MAY verify consistency of the public and private 

325 components of the asymmetric key pair. The consistency of an RSA key pair MAY be 

326 verified by dividing the supposed (P*Q) product by a supposed prime and checking that 

327 there is no remainder.. 

328 b. If inKey -> keyUsage is TPMJKEYJDENTITY, verify that inKey- >keyFlags->migratable 

329 is FALSE. If it is not, return TPM_INVALID_KEYUSAGE 

330 c. If inKey -> keyUsage is TPM_KEY_AUTHCHANGE, return TPM_INVALID_KEYUSAGE 

331 d. If inKey -> keyFlags -> migratable equals 0 then verify that TPM_STORE_ASYMKEY - 

332 > migrationAuth equals TPM_PERMANENT_DATA -> tpmProof 

333 e. Validate the mix of encryption and signature schemes 

334 f. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then 

335 i. If keylnfo -> keySize is less than 1024 return TPM_NOTFIPS 

336 ii. If keylnfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS 

337 iii. If keylnfo -> keyUsage specifies TPM_KEY_LEGACY return TPM.NOTFIPS 

338 g. If inKey -> keyUsage is TPM_KEY_STORAGE or TPM_KEY_MIGRATE 

339 i. algorithmID MUST be TPM_ALG_RSA 

340 ii. Key size MUST be 2048 

341 iii. sigScheme MUST be TPM_SS_NONE 

342 h. If inKey -> keyUsage is TPM_KEY_IDENTITY 

343 i. algorithmID MUST be TPM_ALG_RSA 

344 ii. Key size MUST be 2048 

345 iii. encScheme MUST be TPM_ES_NONE 

346 i. If the decrypted inKey -> pcrlnfo is NULL, 

347 i. The TPM MUST set the internal indicator to indicate that the key is not using any 

348 PCR registers. 

349 j. Else 

350 i. The TPM MUST store pcrlnfo in a manner that allows the TPM to calculate a 

351 composite hash whenever the key will be in use 

352 ii. The TPM MUST handle both version 1.1 TPM_PCR_INFO and 1.2 

353 TPM_PCR_INFO_LONG structures according to the type of TPM_KEY structure 

354 (1) The TPM MUST validate the TPM_PCR_INFO or TPM_PCR_INFO_LONG 

355 structures 
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356 8. Perform any processing necessary to make TPM_STORE_ASYMKEY key available for 

357 operations 

358 9. Load key and key information into internal memory of the TPM. If insufficient memory 

359 exists return error TPM_NOSPACE. 

360 10. Assign inKeyHandle according to internal TPM rules. 

361 1 l.Set InKeyHandle -> parentPCRStatus to parentHandle -> parentPCRStatus. 

362 12. If ParentHandle indicates that it is using PCR registers, then set inKeyHandle -> 

363 parentPCRStatus to TRUE. 
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364 10.6 TPM_GetPubKey 




370 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG.RQU_AUTH 1.COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal TPM_ORD_GetPubKey. 


4 


4 






7PM_KEY_HANDLE 


keyHandle 


TPM handle of key. 


5 


4 






TPM _AUTHHANDLE 


authHandle 


The authorization session handle used for keyHandle authorization. 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3H1 


20 


TPM .NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


8 


20 






TPM _AUTH DATA 


keyAuth 


Authorization HMAC key: key.usageAuth. 


Ou 


tgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM.TAG.RSP.AUTH1_COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM .RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_GetPu bKey . 


4 


<> 


3S 


<> 


TPM.PUBKEY 


pubKey 


Public portion of key in keyHandle. 


5 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM .NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TPM __AUTH DATA 


resAuth 


Authorization. HMAC key: key.usageAuth. 



372 Actions 

373 The TPM SHALL perform the following steps: 

374 1. Validate the command the parameters using keyAuth, on error 

375 a. If keyHandle has TPM_AUTH_PRrV_USE_ONLY ignore the error 

376 b. Otherwise return TPM_AUTHFAIL 

377 2. If keyHandle == TPM_KH_SRK then 

76 Level 2 Revision 94 29 March 2006 Draft 

TCG Published 



TPM Main Part 3 Commands TCG © Copyright 

Specification Version 1.2 

378 a. If TPM_PERMANENT_FLAGS -> readSRKPub is FALSE then return 

379 TPM_INVALID_KEYHANDLE 

380 3. If keyHandle -> pcrlnfoSize is not 0 

381 a. If keyHandle -> keyFlags has pcrlgnoredOnRead set to FALSE 

382 i. Create a digestAtRelease according to the specified PCR registers and compare to 

383 keyHandle -> digestAtRelease and if a mismatch return TPM_WRONGPCRVAL 

384 ii. If specified validate any locality requests 

385 4. Create a TPM„PUBKEY structure and return 
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386 

387 

388 
389 
390 

391 

392 

393 
394 



10.7 TPM Sealx 



Start of informative comment: 

The SEALX command works exactly like the SEAL command with the additional 
requirement of encryption for the inData parameter. This command also places in the 
sealed blob the information that the unseal also requires encryption. 

SEALX requires the use of 1 .2 data structures. The actions are the same as SEAL without 
the checks for 1 . 1 data structure usage. 

I End of informative comm e nt. -v-:-; • | 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH 1 _C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.COMMANDCODE j 


ordinal 


Command ordinat TPM_ORD_SealX 


4 


4 






T FM_KE Y_H AN DLE 


keyHandie 


Handle of a loaded key that can perform seal operations. 


5 


20 


2S 


20 


TPM.ENCAUTH 


encAuth 


The encrypted AuthData for the sealed data. The encryption key is the 
shared secret from the OSAP protocol. 


6 


4 


3S 


4 


UINT32 


pcrlnfoSize 


The see of the pcrlnfo parameter. If 0 there are no PCR registers in use 


7 


o 


4S 


<> 


TPM_PCR_INFO 


pcrlnfo 


MUST useTPM_PCR_INFO_LONG. 


| 8 


4 


5S 


4 


UINT32 


jnDataSize 


The size of the inData parameter 


9 


<> 


6S 


<> 


BYTE[] 


inData 


The data to be sealed to the platform and any specified PCRs 


10 


4 






TPM_AUTH HANDLE 


authHandle 


The authorization session handle used for keyHandie authorization. 
Must be an OSAP session for this command. 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


11 


20 


3H1 


20 


TPMJJONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


12 


1 


4H1 


1 


BOOL 


cx>ntinueAuthSession 


Ignored 


13 


20 






TPM_AUTHDATA 


pubAuth 


The authorization session digest for inputs and keyHandie. HMAC key: 
key.usageAuth. 
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395 Outgoing Operands and Sizes 



PARAM 


HMAC 




Name 


Descriotion 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH 1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_Sealx 


4 


<> 


3S 


4 


TPM_STORED_DATA 


sealedData 


Encrypted, integrity -protected data object that is the result of the 
TPM_Seak operation. 


5 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed value of FALSE 


7 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
key.usageAuth. 



396 


Actions 


397 


l. 


Validate the authorization to use the key pointed to by keyHandle 


398 


2. 


If the inDataSize is 0 the TPM returns TPM_BAD_PARAMETER 


399 
400 


3. 


If the keyUsage field of the key indicated by keyHandle does not have the value 
TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE. 


401 
402 


4. 


If the keyHandle points to a migratable key then the TPM MUST return the error code 
TPM_INVALID_KEY_USAGE. 


403 


5. 


Create SI a TPM_STORED_DATA12 structure 


404 


6. 


Set si -> encDataSize to 0 


405 


7. 


Set si -> encData to NULL 


406 


8. 


Set s 1 -> seallnfoSize to pcrlnfoSize 


407 


9. 


If pcrlnfoSize is not 0 then 


408 




a. Validate pcrlnfo as a valid TPM_PCR_INFO_LONG structure, return TPM_BADINDEX 


409 




on error 


410 




b. Set si -> seallnfo -> creationPCRSelection to pcrlnfo -> creationPCRSelection 


411 




c. Set si -> seallnfo -> releasePCRSelection to pcrlnfo -> releasePCRSelection 


412 




d. Set si -> seallnfo -> digestAtRelease to pcrlnfo -> digestAtRelease 


413 




e. Set si -> seallnfo -> localityAtRelease to pcrlnfo -> localityAtRelease 


414 
415 




f. Create h2 the composite hash of the TPM_STCLEAR_DATA -> PCR selected by 
pcrlnfo -> creationPCRSelection 


416 




g. Set si -> seallnfo -> digestAtCreation to h2 


417 




h. Set si -> seallnfo -> localityAtCreation to TPM_STANY_DATA -> localityModifier 


418 


10. Create s2 a TPM_SEALED_DATA structure 
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419 1 1 . If authHandle indicates XOR encryption for the AuthData secrets 

420 a. Create XI the SHA-1 of the concatenation of (authHandle -> sharedSecret | | 

42 1 authLastNonceEven) 

422 b. Create al by XOR XI and encAuth 

423 c. Set si -> et to TPM_ET_XOR | | TPM_ET_KEY 

424 i. TPM_ET_KEY is added because TPMJJnseal uses NULL as a special value 

425 indicating no encryption. 

426 12. Else 

427 a. Create al by decrypting encAuth using the algorithm indicated in the OSAP session 

428 b. Key is from authHandle -> sharedSecret 

429 c. IV is SHA-1 of (authLastNonceEven | | nonceOdd) 

430 d. Set SI -> et to algorithm indicated in the OSAP session 

431 13. The TPM provides NO validation of al. Well-known values (like NULLS) are valid and 

432 possible. 

433 14. If authHandle indicates XOR encryption 

434 a. Use MGF1 to create string X2 of length inDataSize. The inputs to MGF1 are; 

435 authLastNonceEven, nonceOdd, "XOR", and authHandle -> sharedSecret. The four 

436 concatenated values form the Z value that is the seed for MFG1. 

437 b. Create ol by XOR of inData and X2 

438 15. Else 

439 a. Create ol by decrypting inData using the algorithm indicated by authHandle 

440 b. Key is from authHandle -> sharedSecret 

441 c. IV is SHA-1 of (authLastNonceEven | | nonceOdd) 

442 16. Create s2 a TPM_SEALED_DATA structure 

443 a. Set s2 -> payload to TPM_PT_SEAL 

444 b. Set s2 -> tpmProof to TPM_PERMANENT_DATA -> tpmProof 

445 c. Create h3 the SHA-1 of si 

446 d. Set s2 -> storedDigest to h3 

447 e. Set s2 -> authData to al 

448 f. Set s2 -> dataSize to inDataSize 

449 g. Set s2 -> data to ol 

450 17. Validate that the size of s2 can be encrypted by the key pointed to by keyHandle, return 

45 1 TPM__BAD_DATASIZE on error 

452 18. Create s3 the encryption of s2 using the key pointed to by keyHandle 

453 19. Set continueAuthSession to FALSE 

454 20. Set si -> encDataSize to the size of s3 
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455 2 1 . Set s 1 -> encData to s3 

456 22. Return si as sealedData 
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457 
458 

459 
460 

461 
462 

463 

464 

465 

466 
467 
468 

469 
470 
471 
472 

473 
474 
475 

476 
477 
478 

479 
480 
481 

482 



11. Migration 



Start of informative comment: 

The migration of a key from one TPM to another is a vital aspect to many use models of the 
TPM. The migration commands are the commands that allow this operation to occur. 

There are two types of migratable keys, the version 1.1 migratable keys and the version 1 .2 
certifiable migratable keys. 

End of informative comment. 



11.1 TPM_CreateMigrationBlob 



{Start of informative comment: j 

jThe TPM_CreateMigrationBlob command implements the first step in the process of moving 
|a migratable key to a new parent or platform. Execution of this command requires 
knowledge of the migrationAuth field of the key to be migrated. 

Migrate mode is generally used to migrate keys from one TPM to another for backup, 
upgrade or to clone a key on another platform. To do this, the TPM needs to create a data 
blob that another TPM can deal with. This is done by loading in a backup public key that 
will be used by the TPM to create a new data blob for a migratable key. 

The TPM Owner does the selection and authorization of migration public keys at any time 
prior to the execution of TPM^CreateMigrationBlob by performing the 
TPM_AuthorizeMigrationKey command. ; 

IReWrap mode is used to directly move the key to a new parent (either oh this platform or 
another). The TPM simply re -encrypts the key using a new parent, and outputs a normal 
encrypted element that can be subsequently used by a TPM_LoadKey command. 

TPM_Create MigrationBlob implicitly cannot be used to migrate a non-migratory key. No 
explicit check is required. Only the TPM knows tpmProof. Therefore it is impossible for the 
caller to submit an AuthData value equal to tpmProof and migrate a non-migratory key. 

End of informative comment. _ _ _ 
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483 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJAG 


tag 


TPM_TAG_RQU_AUTH2_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


Q 
O 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD__CreateMigrationB1ob 


A 
H 


A 






TPM_KEYJHANDLE 


parentHandle 


Handle of the parent key that can decrypt encData. 


5 


2 


2S 


2 


TPM_MIGRATE_SCHEME 


migrationType 


The migration type, either MIGRATE or REWRAP 


6 


<> 


3S 


<> 


TPM_MIGRATIONKEYAUT H 


migrationKeyAuth 


Migration public key and its authorization session digest 


7 


4 


4S 


4 


UINT32 


encDataSize 


The size of the encData parameter 


8 


<> 


5S 


o 


BYTE[] | 


encData 


The encrypted entity that is to be modified. 


g 


4 






TPM_AUTHHANDLE 


parentAuthHandle 


The authorization session handle used for the parent key. 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


10 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with parentAuthHandle 


11 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag for parent session 


12 


20 




20 


TPM.AUTHDATA 


parentAuth 


Authorization HMAC key: parentKey.usageAuth. 


13 


4 






TPM_AUTH HANDLE 


entityAuthHandle 


The authorization session handle used for the encrypted entity. 






2H2 


20 


TPM.NONCE 


entitylastNonceEven 


Even nonce previously generated by TPM 


14 


20 


3H2 


20 


TPMJJONCE 


entitynonceOdd 


Nonce generated by system associated with entityAuthHandle 


15 


1 


4H2 


1 


BOOL 


continueEntitySession 


Continue use flag for entity session 


16 


20 






TPM_AUTHDATA 


entityAuth 


Authorization HMAC key: entity .migrationAuth. 



484 
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485 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


oZ. 


M 
ft 




1 








TPM_TAG 


taq 


TPM_TAG_RSP_AUTH2_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


lb 


>< 
4 


TPM RESULT 


returnCode 


The return code of the operation. 






£.0 


*f 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CreateMigrationB!ob ! 


A 

4 


4 


JO 




UINT32 


randomSize 


The used size of the output area for random 


c 
0 




4o 




BYTE[] 


random 


String used for xor encryption 


6 


4 


DO 


4 


UINT32 


outDataSize 


The used size of the output area for outData 


7 


o 


6S 


<> 


BYTE[] 


outData 


The modified, encrypted entity. 


8 


20 


3H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






4H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with parentAuthHandle 


9 


1 


5H1 


1 


BOOL 


continueAuthSession 


Continue use flag for parent key session 


10 


20 




20 


TPM_AUTHDATA 


resAuth 


Authorization. HMAC key: parentKey.usageAuth. 


11 


20 


3H2 


20 


TPM_N0NCE 


entityNonceEven 


Even nonce newly generated by TPM to cover entity 






4H2 


20 


TPMJJONCE 


entitynonceOdd 


Nonce generated by system associated with entityAuthHandle 


12 


1 


5H2 


1 


BOOL 


continueEntity Session 


Continue use flag for entity session 


13 


20 






TPM.AUTHDATA 


entityAuth 


Authorization HMAC key: entity.migrationAuth. 



486 Description 

487 The TPM does not check the PCR values when migrating values locked to a PCR. 

488 The second authorization session (using entityAuth) MUST be OIAP because OSAP does not 

489 have a suitable entityType 

490 Actions 

491 1. Validate that parentAuth authorizes the use of the key pointed to by parentHandle. 

492 2. Create dl a TPM_STORE_ASYMKEY structure by decrypting encData using the key 



493 pointed to by parentHandle. 

494 a. Verify that dl -> payload is TPM_PT_ASYM . 

495 3. Validate that entityAuth authorizes the migration of dl. The validation MUST use dl -> 

496 migrationAuth as the secret. 

497 4. Verify that the digest within migrationKeyAuth is legal for this TPM and public key 

498 5. If migrationType == TPM_MS_MIGRATE the TPM SHALL perform the following actions: 

499 a. Build two byte arrays, Kl and K2: 

500 i. Kl = dl.privKey[0..19] (dl.privKey.keyLength + 16 bytes of dl.privKey.key), 

501 sizeof(Kl) = 20 

502 ii. K2 = dl.privKey[20..131] (position 16-127 of dl . privKey.key), sizeof(K2) = 112 

503 b. Build Ml a TPM_MIGRATE_ASYMKEY structure 
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504 i. TPMJMIGRATE__ASYMKEY.payload = TPM_PT_MIGRATE 

505 ii. TPM_MIGRATE_ASYMKEY.usageAuth = dl.usageAuth 

506 iii. TPM_MIGRATE_ASYMKEY.pubDataDigest = dl. pubDataDigest 

507 iv. TPM_MIGRATE_ASYMKEY.partPrivKeyLen = 112 - 127. 

508 v. TPM_MIGRATE_ASYMKEY. partPrivKey = K2 

509 c. Create ol (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the 

510 OAEP encoding of m using OAEP parameters of 

511 i. m - M 1 the TPM_MIGRATE_ASYMKEY structure 

512 ii. pHash = d 1 - >migrationAuth 

513 iii. seed = si = Kl 

514 d. Create rl a random value from the TPM RNG. The size of rl MUST be the size of ol. 

515 Return rl in the Random parameter. 

516 e. Create xl by XOR of ol with rl 

517 f. Copy rl into the output field "random". 

518 g. Encrypt xl with the migration public key included in migrationKeyAuth. 

519 6. If migrationType == TPM_MS_REWRAP the TPM SHALL perform the following actions: 

520 a. Rewrap the key using the public key in migrationKeyAuth, keeping the existing 

52 1 contents of that key. 

522 b. Set randomSize to 0 in the output parameter array 

523 7. Else 

524 a. Return TPM_BAD_PARAMETER 
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525 

526 

527 
528 

529 
530 
531 
532 
533 

534 
535 



11.2 TPM_ConvertMigrationBlob 



Start of informative comment: 



This command takes a migration blob and creates a normal wrapped blob. The migrated 
blob must be loaded into the TPM using the normal TPM_LoadKey function. 

Note that the command migrates private keys, only. The migration of the associated public 
keys is not specified by TPM because they are not security sensitive. Migration of the 
associated public keys may be specified in a platform specific specification. A TPM_KEY 
structure must be recreated before the migrated key can be used by the target TPM in a 
TPMJLoadKey command. 



End of informative comment. 



Incoming Operands and Sizes 



PARAM 


hmac ; 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ConvertMigrationBlob. 


4 


4 






TPM_KE Y_H AN DLE 


parentHandle 


Handle of a loaded key that can decrypt keys. 


5 


4 


2S 


4 


UINT32 


inDataSize 


Size of inData 


6 


<> 


3S 


<> 


BYTE [ ] 


inData 


The XOR'd and encrypted key 


7 


4 


4S 


4 


UINT32 


randomSize 


Size of random 


8 


o 


5S 


<> 


BYTE [ 1 


random 


Random value used to hide key data. 


9 


4 






TPM_AUTH HANDLE 


authHandle 


The authorization session handle used for keyHandle. 






2H1 


20 


TPM_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


10 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


11 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


12 


20 






TPM.AUTHDATA 


parentAuth 


The authorization session digest that authorizes the inputs and the 
migration of the key in parentHandle. HMAC key: parentKey.usageAuth 



536 



86 



TCG Published 



Level 2 Revision 94 29 March 2006 Draft 



TPM Main Part 3 Commands 
Specification Version 1 .2 



TCG © Copyright 



537 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJAG 


tag 


TPM_TAG_RSP__AUTH1_C OMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


command ordinal, i KM_UKL»_convertMigraiionDioD 


4 


4 


3S 


4 


UINT32 


outDataSize 


The used size of the output area for outData I 


5 


o 


4S 


<> 


BYTE[] 


outData 


The encrypted private key that can be loaded with TPM_LoadKey 


6 


20 


2H1 


20 


TPM.N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key 
parentKey.usageAuth 



538 


Action 


539 


The TPM SHALL perform the following: 


540 


1. 


Validate the AuthData to use the key in parentHandle 


541 


2. 


If the keyUsage field of the key referenced by parentHandle does not have the value 


542 




TPM_KEY_STORAGE, the TPM must return the error code TPM_INVALID_KEYUSAGE 


543 


3. 


Create dl by decrypting the inData area using the key in parentHandle 


544 


4. 


Create ol by XOR dl and random parameter 


545 


5. 


Create ml a TPM_MIGRATE_ASYMKEY structure, seed and pHash by OAEP decoding ol 


546 


6. 


Create kl by combining seed and the TPM_MIGRATE_ASYMKEY -> partPrivKey field 


547 


7. 


Create d2 a TPM_STORE_ASYMKEY structure 


548 




a. Verify that ml -> payload == TPM_PT_MIGRATE 


549 




b. Set d2 -> payload = TPM_PT_ASYM 


550 




c. Set d2 -> usageAuth to ml -> usageAuth 


551 




d. Set d2 -> migrationAuth to pHash 


552 




e. Set d2 -> pubDataDigest to ml -> pubDataDigest 


553 




f. Set d2 -> privKey field to kl 


554 


8. 


Create outData using the key in parentHandle to perform the encryption 
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555 

556 

557 
558 
559 

560 
561 

562 
563 



11.3 TPM_AuthorizeMigrationKey 



Start of informative comment: j 

This command creates an authorization , blob, to allow the TPM owner to specify which 
migration facility they will use and allow users to migrate information without further! 
! involvement with the TPM owner. 

It is the responsibility of the TPM Owner to determine whether migrationKey is appropriate 
for migration. The TPM checks just the cryptographic strength of migrationKey. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU J\UTH1 .COMMAND 


| 2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag [ 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_AuthorizeMigrationKey 


4 


2 


2S 


2 


TPM_MIGRATE_SCHEME 


migrationScheme 


Type of migration operation that is to be permitted for this key. 


4 


<> 


3S 


<> 


TPM.PUBKEY 


migrationKey 


The public key to be authorized. 


5 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication, 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3H1 


20 


TPM.N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


8 


20 






TPM.AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner authorizatioa 
HMAC key: ownerAuth. 


Ou 


tgo 


ing C 


>per 


ands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM„RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_AuthorizeMigrationKey 


4 


<> 


3S 


<> 


TPM.MIGRATIONKEYAUTH 


outData 


Returned public key and authorization session digest. 


5 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC 
key: ownerAuth. 



564 



565 



566 Action 

567 The TPM SHALL perform the following: 
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568 
569 

D / \J 


1. 


Check that the cryptographic strength of migrationKey is at least that of a 2048 bit RSA 
key. If migrationKey is an RSA key, this means that migrationKey MUST be 2048 bits or 
greater 


D / 1 


o 
A . 


Validate the AuthData to use the TPM by the TPM Owner 






O 
O. 


Create a f 1 a TPM.MIGRATIONKEYAUTH structure 




573 

D / *T 

575 


4. 


Verify that migrationKey- > algorithmParms 
TPM_ES_RSAESOAEP_SHA 1_MGF 1 , and return 
TPM_INAPPROPRIATE_ENC if it is not 


-> encScheme is 
the error code 


576 


5. 


Set fl -> migrationKey to the input migrationKey 




577 


6. 


Set f 1 -> migrationScheme to the input migrationScheme 




578 
579 


7. 


Create vl by concatenating (migrationKey | | 
TPM_PERMANENT_DATA tpmProof) 


migrationScheme | | 


580 


8. 


Create hi by performing a SHA1 hash of vl 




581 


' 9. 


Set fl -> digest to hi 




582 


10. Return f 1 as outData 
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583 

584 

585 

586 
587 
588 
589 

590 
591 
592 

593 
594 
595 

596 
597 

598 
599 



11.4 TPM_MigrateKey 



Start of informative comment: 

The TPM_MigrateKey command performs the function of a migration authority. 

The command is relatively simple; it just decrypts the input packet (coming from 
TPM_CreateMigrationBlob or TPM_CMK_CreateHob) and then re -encrypts it with the input 
public key. The output of this command would then be sent to TPM_ConvertMigrationBlob 
or TPM_CMK_ConvertMigration on the target TPM. 

TPM_MigrateKey does not make ANY assumptions about the contents of the encrypte d blob. 
Since it does not have the XOR string, it cannot actually determine much about the key 
that is being migrated. 

This command exists to permit the TPM to be a migration authority. If used in this way, it is 
expected that the physical security of the system containing the TPM and the AuthData 
value for the MA key would be tightly controlled. 

To prevent the execution of this command using any other key as a parent key, this 
command works only if keyUsage for maKeyHandle is TPM_KEY_MIGRATE. 

i . " •■■;■[■-■■■ ' ■ . '.V:'-,' . .. . . / , , . . . ' . ."= 

End of informative comment, 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_0RD_MigrateKey 


4 


4 






TPM_KEY_HANDLE 


maKeyHandle 


Handle of the key to be used to migrate the key. 


5 


<> 


2S 


o 


TPM_PUBKEY 


pubKey 


Public key to which the blob is to be migrated 


6 


4 


3S 


4 


UINT32 


inDataSize 


The size of inData 


7 


<> 


4S 


<> 


BYT5] 


inData 


The input blob 


8 


4 






TPM_AUTH HANDLE 


maAuthHandle 


The authorization session handle used for maKeyHandle. 






2H1 


20 


TPM_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


9 


20 


3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with certAuthHandle ! 


10 


1 


4H1 


1 


BOOL 


contlnueAuthSession 


The continue use flag for the authorization session handle 


11 


20 






TPM_AUTHDATA 


keyAuth 


The authorization session digest for the inputs and key to be signed. 
HMAC key: maKeyHandle.usageAuth. 
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600 Outgoing Operands and Sizes 



Param 


HMAC i 


Type 


Name 


Description 


# 


Sz 


# 


Sz 


1 


2 






TPM.TAG 


tag 


TPMJTAG_RSP _ J AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_MigrateKey 


4 


4 


3S 


4 


UINT32 


outDataSize 


The used size of the output area for outData 


5 


<> 


4S 


<> 


BYTE[] 


outOata 


The re-encrypted blob 


6 


20 


2H1 


20 


TPMJMONCE 


nonceEven 


Even nonce newly generated by TPM 






3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with certAuthHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag for cert key session 


8 


20 






TPM.AUTHDATA 


keyAuth 


The authorization session digest for the target key. HMAC key: 
maKeyHandle.usageAuth 



601 Actions 

602 1. Validate that keyAuth authorizes the use of the key pointed to by maKeyHandle 

603 2. The TPM validates that the key pointed to by maKeyHandle has a key usage value of 

604 TPM_KEY_MIGRATE, and " that the allowed encryption scheme is 

605 TPM_ES_RSAESOAEP_SHA 1_MGF1. 

606 3. The TPM validates that pubKey is of a size supported by the TPM and that its size is 

607 consistent with the input blob and maKeyHandle. 

608 4. The TPM decrypts inData and re -encrypts it using pubKey. 
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609 

610 

611 
612 

613 
614 
615 

616 
617 

618 
619 



11.5 TPM CMK SetRestrictions 



Start of informative comment: 

This command is used by the Owner to dictate the usage of a certifiect migration key with 
delegated authorization (authorization other than actual owner authorization). 

This command is provided for privacy reasons and must not itself be delegated, because a 
certifled-migration-key may involve a contractual relationship between the Owner and an 

external entity. : : v;:-'vi&^ !: !V ;: .''.-.^:- ' : ■ ; : ;>} :C^\^. : ^! ; ' :t K^f v ; 

Since restrictions are validated at D SAP session use, there is no need to invalidate DSAP 
sessions when the restriction value changes. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC I 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes incl. paramSize and fag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Ordinal: TPM_ORD_CMK_SetRestrictions 


4 


4 


2S 


4 


TPM_CMK_DELEGATE 


restriction 


The bit mask of how to set the restrictions on CMK keys j 


5 


4 






TPM_AUTH H AN DLE 


authHandle 


The authorization session handle TPM Owner authentication 






2H1 


20 


TPMJvlONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


8 


20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest. HMAC key:ownerAuth 


Ou 


tgo 


ing C 


>per 


ands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH 1 ..COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Ordinal: TPM_ORD_CMK_SetRestrictions 


4 


20 


2H1 


20 


TPMJMONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM_AUTHDATA 


resAuth 


Authorization HMAC key: ownerAuth. 



620 



621 

622 



Description 

TPM_PERMANENT_DATA -> restrictDelegate is used as follows 
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623 1. If the session type is TPM_PID_DSAP and TPM_KEY -> keyFlags -> migrateAuthority is 

624 TRUE 

625 a. If 

626 TPM_KEY_USAGE is TPM_KEY_SIGNING and restrictDelegate -> 

627 TPM_CMK_DELEGATE_SIGNING is TRUE, or 

628 TPM_KEY_USAGE is TPM_KEY_STORAGE and restrictDelegate -> 

629 TPM_CMK_DELEGATE_STORAGE is TRUE, or 

630 TPM_KEY_USAGE is TPM_KEY_BIND and restrictDelegate -> TPM_CMK_DELEGATE_BIND 

631 is TRUE, or 

632 TPM_KEY_USAGE is TPM_KEY_LEGACY and restrictDelegate -> 

633 TPM_CMK_DELEGATE_LEGACY is TRUE, or 

634 TPM_KEY_USAGE is TPM_KEY_MIGRATE and restrictDelegate -> 

635 TPM_CMK_DELEGATE_MIGRATE is TRUE 

636 then the key can be used. 

637 b. Else return TPM_INVALID_KEYU S AG E . 

638 Actions 

639 1. Validate the ordinal and parameters using TPM Owner authentication, return 

640 TPM_AUTHFAIL on error 

641 2. Set TPM_PERMANENT_DATA -> TPM_CMK_DELEGATE -> restrictDelegate = restriction 

642 3. Return TPM_SUCCESS 
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643 

644 

645 
646 
647 

648 
649 

650 
651 



11.6 TP M_C M K_ApproveM A 



Start of informative comment: I 

■ ' . •- • 

This command creates an authorization ticket, to allow the TPM owner to specify which 

Migration Authorities they .approve and allow users to create certified-migration-keys j 

without further involvement with the TPM owner. j 

It is the responsibility of the TPM Owner to determine whether a particular Migration 
[Authority is suitable to control migration 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CMK_ApproveMA 


4 


20 


2S 


20 


TPMJDIGEST 


migration Authority Digest 


A digest of a TPM_MSA_COMPOSITE structure (itself one or more 1 
digests of public keys belonging to migration authorities) 


5 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication. 






2H1 


20 


TPMJMONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


8 


20 






TPM_AUTHDATA 


ownerAuth 


Authorization HMAC, key: ownerAuth. 



652 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM.COMMANDCODE 


ordinal 


Command ordinal TPM_ORD_CMK_ApproveMA 


4 


20 


3S 


20 


TPM.HMAC 


outData 


HMAC of migrationAuthority Digest 


5 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still acfve 


7 


20 






TPM.AUTHDATA 


resAuth 


Authorization HMAC , key: ownerAuth. 



653 
654 
655 
656 



Action 

The TPM SHALL perform the following: 

1 . Validate the AuthData to use the TPM by the TPM Owner 

2. Create M2 a TPM CMK MA APPROVAL structure 
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657 a. Set M2 ->migrationAuthorityDigest to migrationAuthorityDigest 

658 3, Set outData = HMAC(M2) using tpmProof as the secret 

659 4. Return TPM.SUCCESS 
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660 

661 

662 
663 

664 
665 
666 

667 
668 
669 
670 

671 
672 
673 

674 
675 



11.7 TPM_CMK_CreateKey 



Start of informative comment: 

The TPM_CMK_CreateKey command both generates and creates a secure storage bundle for 
asymmetric keys whose migration is controlled by a migration authority. 

TPM_CMK_CreateKey is very similar to TPM_CreateWrapKey, but: (1) the resultant key must 
be a migratable key and can be migrated only by TPM_CMK_CreateBlob; (2) the command is 
Owner authorized via a ticket. 

TPM_CMK^CreateKey creates an otherwise normal migratable key except that (1) 
migrationAuth is an HMAC of the migration authority and the new key's public key, signed 
by tpmProof (instead of being tpmProof); (2) the migrationAuthority bit is set TRUE; (3) the 
payload type is TPM_PT_MIGRATE_RESTRICTED . 

The migration-selection/migration authority is specified by passing in a public key (actually 
the digests of one or more public keys, so more than one migration authority can be 
specified). 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC | 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 ; 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_0RDCMK_CreateKey 


4 


4 






TPM_KEY_HANDLE 


parentHandle 


Handle of a loaded key that can perform key wrapping. 


5 


20 


2S 


20 


TPM_ENCAUTH 


datallsageAuth 


Encrypted usage AuthData for the sealed data. 


6 


<> 


3S 


<> 


TPM_KEY12 


keylnfo 


Information about key to be created, pubkey.keyLength and 
keylnfo.encData elements are 0. MUST be TPM_KEY12 


7 


20 


4S 


20 


TPM_HMAC 


migrationAuthorityApproval 


A ticket, created by the TPM Owner using TPM_CMK_ApproveMA, 
approving a TPM_MSA_COMPOSITE structure 


8 


20 


5S 


20 


TPM.DIGEST 


migrationAuthorityDigest 


The digest of a TPM_MSA_COMPOSITE structure 


9 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for parent key authorization. 
Must be an OSAP session. 






2H1 


20 


TPNLNONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


10 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


11 


1 


4H1 


1 


BOOL 


continueAuthSession 


Ignored 


12 


20 






TPM_AUTHDATA 


pubAuth 


The authorization session digest that authorizes the use of the public 
key in parentHandle. HMAC key: parentKey.usageAuth. 
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676 Outgoing Operands and Sizes 



PARAM 


HMAC 


Turin 

iype 


M di lit; 




# 


SZ 


# 


SZ 


j 1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM PPQI II T 

l rlvi_r\CoUL l 


rati im^nria 


i lie iclUIII tAXJo Ul ulc uptfldllUlt. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_CMK_CreateKey 


4 


o 


3S 


o 


TPM_KEY12 


wrappedKey 


The TPM KEY structure which includes the public and encrypted private 
key. MUST be TPM_KEY12 


5 


20 


2H1 


20 


TPMJsJONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed at FALSE 


7 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
parentKey.usageAuth. 



677 Actions 

678 The TPM SHALL do the following: 

679 1. Validate the AuthData to use the key pointed to by parentHandle. Return 

680 TPM_AUTHFAIL on any error 

681 2. Validate the session type for parentHandle is OSAP 

682 3. If the TPM is not designed to create a key of the type requested in keylnfo, return the 

683 error code TPM_BAD_KEY_PROPERTY 

684 4. Verify that parentHandle ->keyUsage equals TPM_KEY_STORAGE 

685 5. Verify that parentHandle -> keyFlags-> migratable == FALSE and parentHandle -> 

686 encData -> migrationAuth == tpmProof 

687 6. If keylnfo -> keyFlags -> migratable is FALSE, return TPMJNVALID_KEYUSAGE 

688 7. If keylnfo -> keyFlags -> migrateAuthority is FALSE , return TPM_INVALID_KEYUSAGE 

689 8. Verify that the migration authority is authorized 

690 a. Create Mia TPM_CMK_MA_APPROVAL structure 

691 i. Set Ml ->migrationAuthorityDigest to migrationAuthorityDigest 

692 b. Verify that migrationAuthorityApproval == HMAC (Ml) using tpmProof as the secret 

693 and return error TPM_MA_AUTHORITY on mismatch 

694 9. Validate key parameters 

695 a. keylnfo -> keyUsage MUST NOT be TPM_KEY_IDENTITY or 

696 TPM_KEY_AUTH CHANGE. If it is, return TPM JNVALIDJCEYU SAGE 

697 1 0. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then 

698 a. If keylnfo -> keySize is less than 1024 return TPM_NOTFIPS 

699 b. If keylnfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS 
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700 c. If keylnfo -> keyUsage specifies TPM_KEY_LEGACY return TPM^NOTFIPS 

70 1 1 1 . If keylnfo -> keyUsage equals TPM _KEY„STORAGE or TPM_KEY__MIGRATE 

702 a. algorithmID MUST be TPM_ALG_RSA 

703 b. encScheme MUST be TPM_ES_RSAESOAEP_SHAl_MGFl 

704 c. sigScheme MUST be TPM_SS_NONE 

705 d. key size MUST be 2048 

706 12. If keyinfo -> tag is NOT TPM_TAGJKEY 1 2 return error TPM_INVALID_STRUCTURE 

707 13. Map wrappedKey to a TPM_KEY12 structure 

708 14. If authHandle indicates XOR encryption for the AuthData secrets 

709 a. Create XI the SHA-1 of the concatenation of (authHandle -> sharedSecret | | 

710 authLastNonceEven) 

711 b. Create DU 1 by XOR XI and dataUsageAuth 

712 15. Else 

713 a. Create DU1 by decrypting dataUsageAuth using the algorithm indicated in the OSAP 

714 session 

715 b. Key is from authHandle -> sharedSecret 

716 c. IV is SHA-1 of (authLastNonceEven | | nonceOdd) 

717 16. Set continueAuthSession to FALSE 

718 17. Generate asymmetric key according to algorithm information in keylnfo 

719 18. Fill in the wrappedKey structure with information from the newly generated key. 

720 a. Set wrappedKey -> encData -> usageAuth to.DUl 

721 b. Set wrappedKey -> encData -> payload to TPM_PTJvIIGRATE_RESTRICTED 

722 c. Create thisPubKey, a TPM_PUBKEY structure containing wrappedKey's public key 

723 and algorithm parameters 

724 d. Create M2 a TPM_CMK_MIGAUTH structure 

725 i. Set M2 -> msaDigest to migrationAuthorityDigest 

726 ii. Set M2 -> pubKeyDigest to SHA-1 (thisPubKey) 

727 e. Set wrappedKey -> encData -> migrationAuth equal to HMAC(M2), using tpmProof as 

728 the shared secret 

729 19. If wrappedKey- >PCRInfoSize is non-zero 

730 a. Set wrappedKey -> pcrlnfo to a TPMJPCRJNFO_LONG structure 

731 b. Set digestAtCreation to the TPM_COMPOSITE_HASH indicated by 

732 creationPCRSelection 

733 c. Set localityAtCreation to TPM_STANY_FLAGS -> localityModifier 

734 20. Encrypt the private portions of the wrappedKey structure using the key in parentHandle 

735 2 1 . Return the newly generated key in the wrappedKey parameter 
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736 

737 

738 
739 

740 
741 

742 
743 



11.8 TPM CMK CreateTicket 



Start of informative comment: 

The TPM_CMK_CreateTicket ; command uses a public key to verify the signature over a 

'digest.'' " "[ " ■ ■ . ;7 : ! . : 

TPM_CMK_CreateTicket returns a ticket that can be used to prove to the same TPM that 
signature verification with a particular public key was successful. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_CMK_CreateTicket 


4 


o 


2S 


<> 


TPM.PUBKEY 


verificatipnKey 


The public key to be used to check signatureValue 


5 


20 


3S 


20 


TPM.DIGEST 


signedData 


The data to be verified 


6 


4 


4S 


4 


UINT32 


signatureValueSize 


The size of the signatureValue 


7 


<> 


5S 


o 


BYTEQ 


signatureValue 


The signatureValue to be verified 


8 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authenticatioa 






2H1 


20 


TPMJMONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover Inputs 


9 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4H1 


1 


BOOL 


continueAuthSession 


Ignored 


11 


20 






TPM_AUTHDATA 


pubAuth 


The authorization session digest for inputs and owner. HMAC key: 
ownerAuth. 
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744 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH 1 _COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPMJ}RD_CMK_CreateTicket 


4 


20 


3S 


20 


TPM_HMAC 


sigTicket 


Ticket that proves digest created on this TPM 


5 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag 


7 


20 






TPM_AUTHDATA 


resAuth 


Authorization. HMAC key:. ownerAuth. 



745 

746 

747 

748 

749 

750 

751 
752 

753 
754 

755 

756 

757 

758 

759 



Actions 

The TPM SHALL do the following: 

1 . Validate the TPM Owner authentication to use the command 

2. Validate that the key type and algorithm are correct 

a. Validate that verificationKey -> algorithmParms -> algorithmID == TPM_ALG_RSA 

b. Validate that verificationKey -> algorithmParms ->encScheme == TPM_ES_NONE 

c. Validate that verificationKey ->algorithmParms ->sigScheme 
TPM SS RSASSAPKCSlvl5_SHAl 



is 



3. Use verificationKey to verify that signature Value is a valid signature on signedData, and 
return error TPM_BAD_SIGNATURE on mismatch 

4. Create M2 a TPM_CMK_SIGTICKET 

a. Set M2 -> verKeyDigest to the SHA-1 (verificationKey) 

b. Set M2 -> signedData to signedData 

5. Set sigTicket = HMAC(M2) signed by using tpmProof as the secret 

6. Return TPM_SUCCESS 
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760 

761 

762 
763 
764 
765 
766 

767 
768 
769 
770 
771 
772 
773 

774 



11.9 TPM CMK CreateBlob 



Start of informative comment: 

TPM_CMK_CreateBlob command is very similar to TPM_CreateMigrationBlob, except that it 

(1) uses an extra ticket (restrictedKeyAuth) instead- of a migrationAuth authorization 
session; (2)- ■ uses the migration options TPM_MS_RESTRICT_MIGRATE or 
TPMJMSJ^ (3) produces a wrapped key blob whose 
migrationAuth is independent of tpmProof. 

If the destination (parent) public key is the MA, migration is implicitly permitted. Further 
checks are required if the MA is not the destination (parent) public key, and merely selects 
a migration destination: (lj sigficket must prove that restrictTicket was signed by the MA; 

(2) restrictTicket must vouch that the target public key is approved for migration to the 
destination (parent) public key. (Obviously, this more complex method may also be used by 
an MA to approve migration to that MA.) In both cases, the MA must be one of the MAs 
implicitly listed in the migrationAuth of the target key-to-be -migrated. 

End of informative comment. ; . 
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775 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_OR D_CMK_CreateBlob 


4 


4 






TPM_KE Y_H AN DLE 


parentHandle 


Handle of the parent key that can decrypt encData. 


5 


2 


2S 


2 


TPM_MIGRATE_SCHEME 


migrationType 


The migration type, either TPM MS RESTRICT MIGRATE or 
TPM_MS_RESTRICT_APPROVE_DOUBLE 


6 


<> 


3S 


o 


TPM_MIGRATIONKEYAUTH 


migrationKeyAuth 


Migration public key and its authorization session digest 


"7 
f 


on 


4o 




TPMJDIGEST 


pubSourceKeyDigest 


The digest of the TPM_PUBKEY of the entity to be migrated 


8 


4 


5S 


4 


UINT32 


msaListSize 


Tho ci*7d nf tho meal ict naramotor u/hirh r a v/ariahlo lonnth 

TPM^MSA^COMPOSITEstructure 


9 


<> 


6S 


o 


1 KM JVloA_OUlVlrUbl 1 b 


msaList 


One or more digests of public keys belonging to migration authorities 


10 


4 


7S 


4 


UINT32 


restrictTicketSize 


Tho C170 nf tho roctri/'t'nptot nara motor \A/hif*h ic a TPM C'fMC Al ITW 
1 lie o\£s3 UI Ule IcoUILl 1 ILAcl pdldlliclcl, WIIMI lo a 1 rlvl OlVlrx rU I n 

structure if migration type is TPM_MS_RESTRICTAPPROVE_DOUBLE 


11 


o 


8S 


o 


BYTEQ 


restrictTicket 


Either a NULL parameter or a TPM_CMK_AUTH structure, containing fie 
digests of the public key s belonging to the Migration Authoriy, the 
destination parent key and the key -to-be-migrated. 


12 


4 


9S 


4 


UIIN 1 Oc. 


big 1 IUI\CIDI£C 


The size of the sigTicket parameter, which is a TPM_HMAC structure if 
migration type is TPM_MS_RESTRICT_APPROVE_DOUBLE. 


13 


o 


10S 


o 


BYTEO 


sigTicket 


Either a NULL parameter or a TPMJHMAC structure, generated by the 
TPM, signaling a valid signature over restrictTicket 


14 


4 


11S 


4 


UINT32 


encDataSize 


The size of the encData parameter 


15 


<> 


12S 


<> 


BYTEQ 


encData 


The encrypted entity that is to be modified. 


16 


4 






TPM.AUTHHANDLE 


parentAuthMandle 


The authorization session handle used for the parent key. 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


17 


20 


3H1 


20 


TPM.N0NCE 


nonceOdd 


Nonce generated by system associated with parentAuthHandle 


18 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag for parent session 


19 


20 




20 


TPM_AUTHDATA 


parentAuth 


HMAC key: parentKey.usageAuth. 
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776 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CMK_CreateBlob 


4 


4 


3S 


4 


UINT32 


randomSize 


The used size of the output area for random 


5 


o 


4S 


<> 


BYTE[] 


random 


String used for xor encryption 


6 


4 


5S 


4 


UINT32 


outDataSize 


The used size of the output area for outData 


7 


<> 


6S 


<> 


BYTE[] 


outData 


The modified, encrypted entity. 


8 


20 


3H1 


20 


TPM.N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






4H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with parentAuthHandle 


: 9 


1 


5H1 


: 1 


BOOL 


continueAuthSession 


Continue use flag for parent key session 


10 


20 




20 


TPM_AUTHDATA 


resAuth 


HMAC key: parentKey. usage Auth. 



777 Description 

778 The TPM does not check the PCR values when migrating values locked to a PCR. 

779 Actions 

780 1. Validate that parentAuth authorizes the use of the key pointed to by parentHandle. 

781 2. Verify that parentHandle -> key Flags- > migratable == FALSE and parentHandle -> 

782 encData -> migrationAuth == tpmProof 

783 3. Create dl by decrypting encData using the key pointed to by parentHandle. 

784 4. Verify that the digest within migrationKeyAuth is legal for this TPM and public key 

785 5. Verify that dl -> payload === TPM__PT_MIGRATE_RESTRICTED or 

786 TPM_PT_MIGRATE_EXTERNAL 

787 6. Verify that the migration authorities in msaList are authorized to migrate this key 

788 a. Create M2 a TPM_CMK_MIGAUTH structure 

789 i. Set M2 -> msaDigest to SHA1 [msaList] 

790 ii. Set M2 -> pubKeyDigest to pubSourceKeyDigest 

791 b. Verify that dl -> migrationAuth == HMAC(M2) using tpmProof as the secret and 

792 return error TPM_MA_AUTHORITY on mismatch 

793 7. If migrationKeyAuth -> migrationScheme == TPM_MS_RESTRICT_MIGRATE 

794 a. Verify that intended migration destination is an MA: 

795 i. For one of n=l to n= (msaList -> MSAlist), verify that SHA1 [migrationKeyAuth -> 

796 migrationKey] == msaList -> migAuthDigest[n] 

797 b. Validate that the MA key is the correct type 
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798 i. Validate that migrationKeyAuth -> migrationKey -> algorithmParms -> 

799 algorithmID == TPM_ALG_RSA 

800 ii. Validate that migrationKeyAuth -> migrationKey -> algorithmParms -> encScheme 

801 is an encryption scheme supported by the TPM 

302 iii. Validate that migrationKeyAuth -> migrationKey -> algorithmParms -> sigScheme 

803 is TPM_SS_NONE 

804 8. else If migrationKeyAuth -> migrationScheme — 

805 TPM_MS_RESTRICT_APPROVE_DOUBLE, 

306 a. Verify that the intended migration destination has been approved by the MSA: 

307 i. Verify that for one of the n=l to n=(msaList -> MSAlist) values of msaList -> 

308 migAuthDigest[n], sigTicket == HMAC (VI) using tpmProof as the secret where VI 

309 is a TPM_CMK_SIGTICKET structure such that: 

810 (1) VI -> verKeyDigest = msaList -> migAuthDigest[n] 

311 (2) VI -> signedData = SHAl[restrictTicket] 

312 ii. If [restrictTicket -> destinationKeyDigest] != SHA1 [migrationKeyAuth -> 

813 migrationKey], return error TPM_MA_DESTINATION 

814 iii. If [restrictTicket -> sourceKeyDigest] != pubSourceKeyDigest, return error 

815 TPM_MA_SOURCE 

316 9. Else return with error TPM_BAD_PARAMETER. 

317 10. Build two bytes array, Kl and K2, using dl: 

318 a. Kl - TPMJ3TORE_ASYMKEY.privKey[0.. 19] 

319 (TPM_STORE_ASYMKEY.privKey . keyLength + 16 bytes of 

320 TPM_STORE_ASYMKEY.privKey.key), sizeof(Kl) = 20 

321 b. K2 = TPM_STORE_ASYMKEY.privKey[20..131] (position 16-127 of 

322 TPM_STORE_ASYMKEY . privKey.key), sizeof(K2) = 112 

823 11. Build M 1 a TPM_MIGRATE_ASYMKEY structure 

824 a. TPM_MIGRATE_ASYMKEY. payload = TPM_PT_CMK_MIGRATE 

825 b. TPM_MIGRATE_ASYMKEY.usageAuth = TPM_STORE_ASYMKEY.usageAuth 

326 c. TPM_MIGRATE_ASYMKEY. pubDataDigest = TPM_STORE_ASYMKEY. pubDataDigest 

327 d. TPM_MIGRATE_ASYMKEY. partPrivKeyLen =112-127. 

328 e. TPM_MIGRATE_ASYMKEY.partPrivKey = K2 

329 12. Create ol (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the OAEP 

830 encoding of m using OAEP parameters m, pHash, and seed 

831 a. m is the previously created M 1 

332 b. pHash = SHA1( SHA 1 [msaList] | | pubSourceKeyDigest) 

833 c. seed = si = the previously created Kl 

834 13. Create rl a random value from the TPM RNG. The size of rl MUST be the size of ol. 

835 Return rl in the random parameter 
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336 14.Create xl by XOR of ol with rl 

S37 15. Copy rl into the output field "random" 

338 16. Encrypt xl with the migrationKeyAuth-> migrationKey 



Level 2 Revision 94 29 March 2006 Draft 105 

TCG Published 



Copyright © TCG 



TPM Main Part 3 Commands 
Specification Version 1 .2 



839 

340 

841 

842 
843 
844 

845 
846 
847 
848 
849 

850 
851 
852 

853 
854 



1 1 .1 OTPM_CMK_ConvertMigration 



Start of informative comment: 

TPM_CMK_ConvertMigration completes the migration of certified migration blobs. 

This command takes a certified migration blob and creates a normal wrapped blob with 
payload type TPM_PT_MIGRATE_EXTERNAL. The migrated blob must be loaded into the 
TPM using the normal TPMJLoadKey function. 

Note that the command migrates private keys, only. The migration of the associated public 
keys is not specified by TPM because they are not security sensitive. Migration of the 
associated public keys may be specified in a platform specific specification. A TPM_KEY 
structure must be recreated before the migrated key can be used by the target TPM in a 

nand. 



TPMJLoadKey commam 

TPM_GMK_GonvertMigration checks that one of the MAs implicitly listed in the 
migrationAuth of the target key has approved migration of the target key to the destination 
(parent) key, and that the settings (flags etc.) in the target key are those of a CMK. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_AUTH 1 _COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMM AN D_C ODE 


ordinal 


Command ordinal: TPMJ3RD_CMK_ConvertMigration 


4 


4 






TPM_KEYJHANDLE 


parentHandte 


Handle of a loaded key that can decrypt keys. 


5 


60 


2S 


60 


TPM_CMK_AUTH 


restrictTicket 


The digests of public keys belonging to the Migration Authority, the 
destination parent key and the key -to-be-migrated. 


6 


20 


3S 


20 


TPMJHMAC 


sigTicket 


A signature ticket, generated by the TPM, signaling a valid signature 
over restrictTicket 


7 


<> 


4S 


<> 


TPM_KEY12 


migratedKey 


The public key of the key -to-be-migrated. The private portion MUST be 
TPM_MIGRATE_ASYMKEY properly XOR'd 


8 


4 


5S 


4 


UINT32 


msaListSize 


The size of the msaList parameter, which is a variable length 
TPM_MSA_COMPOSITEstructure 


9 


o 


6S 


o 


TPM_MSA_C0MP0SITE 


msaList 


One ormore digests of public keys belonging to migration authorities 


10 


4 


7S 


4 


UINT32 


randomSize 


Size of random 


11 


<> 


8S 


o 


BYTE [ ] 


random 


Random value used to hide key data. 


12 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for keyHandle. 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


13 


20 


3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


14 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle ! 


15 


20 






TPM_AUTHDATA 


parentAuth 


Authorization HMAC : parentKey.usageAuth 
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355 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM^TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CMK_ConvertMigration 


4 


4 


3S 


4 


UINT32 


outDataSize 


The used size of the output area for outData 


5 


o 


4S 


o 


BYTE[] 


outData 


The encrypted private key that can be loaded with TPM_LoadKey 


6 


20 


2H1 


20 


TPM.N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TPM_AUTHDATA 


resAuth 


Authorization HMAC key .usageAuth 



356 Action 

357 1 . Validate the AuthData to use the key in parentHandle 

358 2. If the keyUsage field of the key referenced by parentHandle does not have the value 

359 TPM_KEY_STO RAGE , the TPM must return the error code TPM_INVALID_KEYUSAGE 

360 3. Create dl by decrypting the migratedKey -> encData area using the key in parentHandle 

361 4. Create ol by XOR dl and random parameter 

362 5. Create ml a TPM_MIGRATE_ASYMKEY, seed and pHash by OAEP decoding ol 

363 6. Create migratedPubKey a TPM_PUBKEY structure corresponding to migratedKey 

364 a. Verify that pHash == SHA1( SHAl[msaList] | | SHA1 (migratedPubKey ) 

365 7. Create kl by combining seed and the TPM_MIGRATE_ASYMKEY -> partPrivKey field 

366 8. Create d2 a TPM_STORE_ASYMKEY structure. 

367 a. Set the TPM_STORE_ASYMKEY -> privKey field to kl 

368 b. Set d2 -> usageAuth to ml -> usageAuth 

869 c. Set d2 -> pubDataDigest to ml -> pubDataDigest 

870 9. Verify that parentHandle -> keyFlags -> migratable == FALSE and parentHandle -> 

371 encData -> migrationAuth == tpmProof 

372 lO.Verify that ml -> payload == TPM_PT_CMK_MIGRATE then set d2-> payload = 
873 TPM_PT_MIGRATE_EXTERNAL 

374 11. Verify that for one of the n=l to n=(msaList -> MSAlist) values of msaList -> 

375 migAuthDigest[n] sigTicket == HMAC (VI) using tpmProof as the secret where VI is a 
576 TPM_CMK_SIGTICKET structure such that: 

877 a. VI -> verKeyDigest = msaList -> migAuthDigest[n] 

878 b. VI -> signedData = SHAl[restrictTicket] 
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879 12. Create parentPubKey, a TPM_PUBKEY structure corresponding to parentHandle 

380 13. If [restrictTicket -> destinationKeyDigest] != SHA1 (parentPubKey), return error 

381 TPM_MA_DESTINATION 

882 14. Verify that migratedKey is corresponding to d2 

383 15. If migratedKey -> keyFlags -> migratable is FALSE, and return error 

384 TPM_INVALID_KEYUSAGE 

385 16. If migratedKey -> keyFlags -> migrateAuthority is FALSE, return error 

386 TPM_INVALID_KEYUSAGE 

387 17. If [restrictTicket -> sourceKeyDigest] != SHAl(migratedPubKey), return error 

388 TPMJVL\_SOURCE 

389 18. Create M2 a TPM_CMK_MIGAUTH structure 

390 a. Set M2 -> msaDigest to SHAl[msaList] 

891 b. Set M2 -> pubKeyDigest to SHAl[migratedPubKey] 

392 19. Set d2 -> migrationAuth = HMAC(M2) using tpmProof as the secret 

393 20. Create outData using the key in parentHandle to perform the encryption 
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12. Maintenance Functions (optional) 



Start of informative comment: 



When a maintenance archive is created with generateRandom FALSE, the maintenance blob 
is XOR encrypted with f the,; owner authorization before encryption wi^ 



the archive. j 

When generateRandom is TRUE, the maintenance blob is XOR encrypted with random data, | 
which is also returned. This permits someone trusted by the Owner to load the; 
maintenance iarchive into the replacement platform in the absence of the Owner arid; 
jmanufacturer, without the Owner having to reve^ information about his auth value. The 
receiving and sending TPM's may have different owner authorizations. The random data is 
transferred from the sending TPM owner to the receiving TPM owner out of band, so the 
maintenance blob remains hidden from the manufacturer. 

This is a typical maintenance sequence: 

1. Manufacturer: 

• generates maintenance key pair 

• gives public key to TPM 1 owner 

2. TPM1: TPM_LoadManuMaintPub 

• load maintenance public key yyyj; - :l :: l 0 l : l : W^M^ 
^ig^PMl: TPM^CreateMaintenanceArchive 

• XOR encrypt with owner auth or random 

• encrypt with maintenance public key 

4. Manufacturer: V ^D.' — 

• decrypt with maintenance private key ' 
(still XOR encrypted with owner auth or random) 
encrypt with TPM2 SRK public key 

5: TPM2: TPM_Ix>adMaintenanceArchive 

• decrypt with SRK private key 

• XOR decrypt with owner auth or random 
End of informative comment. 
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926 



927 12.1 TPM CreateMaintenanceArchive 

928 



929 
930 

931 
932 



Start or informative comment: 



This : command creates the maintenance archive. It can . only be executed by 'the owner, and i 
may be shut off with the TPM I^lMaintenanceFe 

;:. \ : y,..--*< *,-jci.. > ;0 . f ?- v ■ : - •>.;.. , T*. .<, !■ T:' ■ . >,> ■ *-\ ,..V : t . =. • ... <•:* i -, v* - : . - V; , • .. ... '. ■ v .;.V:: ; :, : . V/; : .- 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 | 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.COMMANDCODE 


ordinal 


Cmd ordinal: TPM.ORD.CreateMaintenanceArchive 


4 


1 


2S 


1 


BOOL 


generateRandom 


Use RNG or Owner auth to generate 'random'. 


5 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authenticatioa 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


&j en nonce previously generated by TPM to cover inputs 


6 


20 


3H1 


20 


TPMJslONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


! 7 


1 


4H1 


1 


BOOL , 


continueAuthSession 


The continue use flag for the authorization session handle 


8 


20 






TPM_AUTHDATA 


ownerAuth 


HMAC key: ownerAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPMJTAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_CODE 


ordinal 


Cmd ordinal: TPM_ORD_CreateMaintenanceArchive 


4 


4 


3S 


4 


UINT32 


randomSize 


Size of the returned random data. Will be 0 if generateRandom is FALSE. 


5 


o 


4S 


<> 


BYTE [ ] 


random 


Random data to XOR with result. 


6 


4 


5S 


4 


UINT32 


archiveSize 


Size of the encrypted archive 


7 


o 


6S 


o 


BYTE [ ] 


archive 


Encrypted key archive. 


8 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


10 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth. 



934 Actions 

935 Upon authorization being confirmed this command does the following: 



110 



Level 2 Revision 94 29 March 2006 Draft 



TCG Published 



TPM Main Part 3 Commands TCG © Copyright 

Specification Version 1 .2 

936 1. Validates that the TPM_PERMANENT_FLAGS -> allowMaintenance is TRUE. If it is 

937 FALSE, the TPM SHALL return TPM_DISABLED_CMD and exit this capability. 

938 2. Validates the TPM Owner AuthData. 

939 3. If the value of TPM_PERMANENT_DATA -> manuMaintPub is zero, the TPM MUST 

940 return the error code TPM_KEYNOTFOUND 

941 4. Build al a TPM_KEY structure using the SRK. The encData field is not a normal 

942 TPM_STORE„ASYMKEY structure but rather a TPM_MIGRATE_ASYMKEY structure built 

943 us i n g the following actions. 

944 5. Build a TPM_STORE_PRTVKEY structure from the SRK. This privKey element should be 

945 132 bytes long for a 2K RSA key. 

946 6. Create kl and k2 by splitting the privKey element created in step 4 into 2 parts, kl is 

947 the first 20 bytes of privKey, k2 contains the remainder of privKey. 

948 7. Build ml by creating and filling in a TPMJVIIGRATE_ASYMKEY structure 

949 a. ml -> usageAuth is set to TPM_PERMANENT_DATA -> tpmProof 

950 b. ml -> pubDataDigest is set to the digest value of the SRK fields from step 4 

951 c. ml -> payload is set to TPM_PT_MAINT 

952 d. ml -> partPrivKey is set to k2 

953 8. Create ol (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the OAEP 

954 encoding of m using OAEP parameters of 

955 a. m = TPM_MIGRATE_ASYMKEY structure (step 7) 

956 b. pHash = TPM_PERMANENT_DATA -> ownerAuth 

957 c. seed = si = kl (step 6) 

958 9. If generateRandom = TRUE 

959 a. Create rl by obtaining values from the TPM RNG. The size of rl MUST be the same 

960 size as ol. Set random parameter to rl 

961 1 0. If generateRandom - FALSE 

962 a. Create rl by applying MGF1 to the TPM Owner AuthData. The size of rl MUST be the 

963 same size as ol. Set random parameter to null. 

964 1 1. Create xl by XOR of ol with rl 

965 12.Enciypt xl with the manuMaintPub key using the TPM_ES_RSAESOAEP_SHAl_MGFl 

966 encryption scheme. 

967 13. Set al -> encData to the encryption of xl 

968 14. Set TPM_PERMANENT_FLAGS -> maintenanceDone to TRUE 

969 15. Return al in the archive parameter 
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970 

971 

972 
973 

974 
975 
976 

977 
978 
979 

980 
981 



12.2 TPM LoadMaintenanceArchive 



Start of informative comment: 

This command loads in a Maintenance archive that has been massaged by the 
manufacturer to load into another TPM. 

If the maintenance archive was created using the owner authorization for XOR encryption, 
the current owner authorization must be used for decryption. The owner authorization does 
not change. 

If the maintenance archive was created using random data for the XOR encryption, the 
vendor specific arguments must include the random data. The owner authorization may 
change. 

End of informative comment* 



Incoming Operands and Sizes 



PARAM 


HMAC I 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_LoadMalntenanceArchive 


4 


4 


2S 


4 


UINT32 


archiveSize 


Sice of the encrypted archive 


5 


o 


3S 


o 


BYTEQ 


archive 


Encrypted key archive 














Vendor specific arguments 




4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication. 








20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 




20 




20 


TPM.N0NCE 


nonce Odd 


Nonce generated by system associated with authHandle ' 




1 




1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 




20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner authentication. 
HMAC key: ownerAuth. 
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983 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 




4 


TPM_RESULT 


return Code 


The return code of the operation. 








4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_LoadMaintenanceArchive 














Vendor specific arguments 




20 




20 i 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 








20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 




1 




1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 




20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth, the original value and not the new auth value 



984 Descriptions 

985 The maintenance mechanisms in the TPM MUST not require the TPM to hold a global 
386 secret. The definition of global secret is a secret value shared by more than one TPM. 

987 The TPME is not allowed to pre -store or use unique identifiers in the TPM for the purpose of 

988 maintenance. The TPM MUST NOT use the endorsement key for identification or encryption 

989 in the maintenance process. The maintenance process MAY use a TPM Identity to deliver 

990 maintenance information to specific TPM's. 

991 The maintenance process can only change the SRK, tpmProof and TPM Owner AuthData 

992 fields. 

993 The maintenance process can only access data in shielded locations where this data is 

994 necessary to validate the TPM Owner, validate the TPME and manipulate the blob 

995 The TPM MUST be conformant to the TPM specification, protection profiles and security 

996 targets after maintenance. The maintenance MAY NOT decrease the security values from 

997 the original security target. 

998 The security target used to evaluate this TPM MUST include this command in the TOE. 

999 Actions 

000 The TPM SHALL perform the following when executing the command 

001 1. Validate the TPM Owner's AuthData 

002 2. Validate that the maintenance information was sent by the TPME. The validation 

003 mechanism MUST use a strength of function that is at least the same strength of 

004 function as a digital signature performed using a 2048 bit RSA key. 

005 3. The packet MUST contain m2 as defined in section 12.1. 

006 4. Ensure that only the target TPM can interpret the maintenance packet. The protection 

007 mechanism MUST use a strength of function that is at least the same strength of 

008 function as a digital signature performed using a 2048 bit RSA key. 

009 5. Process the maintenance information 
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010 a. Update the SRK 

011 i. Set the SRK usageAuth to be the same as the source TPM owner's AuthData 

012 b. Update TPM_PERMANENT_DATA -> tpmProof 

013 c. Update TPMJPERMANENT_DATA -> ownerAuth 

014 6. Set TPM_PERMANENT_FLAGS -> maintenanceDone to TRUE 

015 7. Terminate all OSAP and DSAP sessions 
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016 

017 

018 
019 
020 

021 
022 

023 
024 
025 

026 
027 



12.3 TPM KillMaintenanceFeature 



Informative Comments: j 

The TPM_KillMaintencajiceFeature is a permanent action that prevents ANYONE from 
[creating a maintenance archive. This action, once taken, is permanent until a new TPM 
Owner is set. - : / . • } ^- v ^ : - '" i\ '' : ' : -- : }ii:;--<r 

This action is to allow those customers who do not want the maintenance feature to not 
allow the use of the maintenance feature. 

At the discretion of the Owner, it should be possible to kill the maintenance feature in such 
a way that the only way to recover maintaina.bility of the platform would be to wipe out the 
root keys. This feature is mandatory in any TPM that implements the maintenance feature. 

End informative Comment 



Incoming Operands and Sizes 



PARAM 


HMAC f 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total num ber of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_KillMaintenanceFeature 


4 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication 






2H1 


20 


TPM_N0NCE 


authLasWonceEven 


Even nonce previously generated by TPM to cover inputs 


5 


20 


3H1 


20 


TPMJslONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuth Session 


The continue use flag for the authorization session handle 


7 


20 






TPM _AUTHDATA 


ownerAuth 


HMAC key: ownerAuth. 


Ou 


tgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_KillMaintenanceFeature 


4 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM_AUTHDATA 


resAuth 


HMAC key: ownerAuth. 



028 



029 Actions 

030 1. Validate the TPM Owner AuthData 

03 1 2. Set the TPM_PERMANENT_FLAGS.allowMaintenance flag to FALSE. 
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032 

033 

034 
035 
036 
037 
038 

039 
040 

041 
042 



12.4 TPM LoadManuMaintPub 



Informative Comments: 

The TPM LoadManuMaintPub command loads the manufacturer's public key for use in the 
maintenance process . The command installs manuMaintPub in PERMANENT data storage 
inside a TPM. Maintenance enables duplication of non-migratory data in protected storage. 
There is therefore a security hole if a platform is shipped before the maintenance public key 
has been installed in a TPM. 

The command is expected to be used before installation of a TPM Owner or any key in TPM 
protected storage. It therefore does not use authorization. 

End of Informative Comments 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_.COM MAN D 


2 


4 






UINT32 


pa ram Size 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_LoadManuMaintPub 


4 


20 


2S 


20 


TPM.NONCE 


antiReplay 


AntiReplay and validation nonce 


5 


<> 


3S 


<> 


TPM.PUBKEY 


pubKey 


The public key of the manufacturer to be in use for maintenance 


Oil 


tgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_LoadManuMaintPub 


4 


20 


3S 


20 


TPM_DIGEST 


checksum 


Digest of pubKey and antiReplay 



043 



044 

045 
046 

047 
048 

049 

050 
051 
052 
053 
054 



Description 

The pubKey MUST specify an algorithm whose strength is not less than the RSA algorithm 
with 2048bit keys. 

pubKey SHOULD unambiguously identify the entity that will perform the maintenance 
process with the TPM Owner. 

TPM_PERMANENT_DATA -> manuMaintPub SHALL exist in a TPM-shielded location, only. 

If an entity (Platform Entity) does not support the maintenance process but issues a 
platform credential for a platform containing a TPM that supports the maintenance process, 
the value of TPM_PERMANENT_DATA -> manuMaintPub MUST be set to zero before the 
platform leaves the entity's control. That is, this ordinal can only be run once, and used to 
either load the key or load a NULL key. 
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055 Actions 

056 The first valid TPM_LoadManuMaintPub command received by a TPM SHALL 

057 1. Store the parameter pubKey as TPM_PERMANENT_DATA -> manuMaintPub. 

058 2. Set checksum to SHA-1 of (pubKey | | antiReplay) 

059 3. Export the checksum 

060 4. Subsequent calls to TPM_LoadManuMaintPub SHALL return code 

06 1 TPM_DISABLED_CMD. 
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062 

063 

064 
065 
066 
067 
068 

069 
070 

071 

072 



12.5 TPM ReadManuMaintPub 



Informative Comments: 

The TPM_ReadManuMaintPub command is used to check whether the manufacturer's 
public maintenance key in a TPM has the expected value. This may be useful during the 
manufacture process. The command returns a digest of the installed key, rather than the 
key itself. This hinders discovery of the maintenance key, which may (or may not) be useful 
for manufacturer privacy. 

The command is expected to be used before installation of a TPM Owner or any key in TPM 
protected storage. It therefore does not use authorization. 

End of Informative Comments : : . • ' .■/./.. ■;. _j. _ _ * 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


n 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


i 1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReadManuMaintPub 


4 


20 


2S 


20 


TPM_N0NCE 


antiReplay 


AntiReplay and validation nonce 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReadManuMaintPub 


4 


20 


3S 


20 


TPMJDIGEST 


checksum 


Digest of pubKey and antiReplay 



073 



074 

075 
076 



Description 

This command returns the hash of the antiReplay nonce and the previously loaded 
manufacturer's maintenance public key. 



077 Actions 

078 The TPM_ReadManuMaintPub command SHALL 

079 1. Create "checksum" by concatenating data to form (TPM_PERMANENT_DATA -> 

080 manuMaintPub | | antiReplay) and passing the concatenated data through SHA1. 

081 2. Export the checksum 
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082 13. Cryptographic Functions 
13.1 TPM SHA1 Start 



083 

084 

085 

086 
087 
088 

089 
090 

091 
092 
093 

094 
095 



Start of informative comment: 

This capability starts the process of calculating a SHA-1 digest. 

The exposure of the SHA- 1 processing is a convenience to platforms in a mode that do not 
have sufficient memory to perform SHA-1 themselves. As such, the use of SHA-1 is 
restrictive on the TPM. : ^ 

The TPM may not allow any other types of processing during the execution of a SHA-1 
session. There is only one SHA-1 session active on a TPM. 

After the execution of TPM_SHA1 Start, and prior to TPM_SHA1 Complete or 
TPM_SHA 1 GompleteExtend, the receipt of any command other than TPM_SHA 1 Update will 
cause the invalidation of the SHA- 1 session. 

End of informative comment. „ :. -- ^ .. - 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal TPM_ORD_SHA1 Start 


Ou 


tgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinak TPM_0RD_SHA1 Start 


4 


4 


3S 


4 


UINT32 


maxNumBytes 


Maximum number of bytes that can be sent to TPM.SHA1 Update. Must be a 
multiple of 64 bytes. 



096 



097 

098 
099 
100 

101 
102 
103 

104 
105 



Description 

1. This capability prepares the TPM for a subsequent TPM_SHA1 Update, 
TPM_SHA1 Complete or TPM_SHAlCompleteExtend command. The capability SHALL 
open a thread that calculates a SHA-1 digest. 

2. After receipt to TPM_SHA1 Start, and prior to the receipt of TPM_SHA1 Complete or 
TPM_SHAlCompleteExtend, receipt of any command other than TPM_SHA1 Update 
invalidates the SHA- 1 session. 

a. If the command received is TPM_ExecuteTransport, the SHA- 1 session invalidation is 
based on the wrapped command, not the TPM_ExecuteTransport ordinal. 
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106 13.2 TPM_SHA1 Update 




111 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_0RD_SHA1 Update 


4 


4 


2S 


4 


UINT32 


numBytes 


The number of bytes in hashData. Must be a multiple of 64 bytes. 


5 


<> 


3S 


<> 


BYTE [ ] 


hashData 


Bytes to be hashed 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RS P_COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPMJRESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_0RD_SHA1 Update 



1 13 Description 

114 This command SHALL incorporate complete blocks of data into the digest of an existing 

115 SHA-1 thread. Only integral numbers of complete blocks (64 bytes each) can be processed. 
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116 13.3 TPM_SHA1 Complete 

117 
118 
119 



Start of informative comment: 




120 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJ7VG 


tag 


TPM _TAG_RQU_COM MAN D 


2 


4 






UJNT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_SHA1 Complete 


4 


4 


2S 


4 


UINT32 


hashDataSize 


Number of bytes in hashData, MUST be 64 or less 


5 


o 


3S 


<> 


BYTE [ ] 


hashData 


Final bytes to be hashed 


Outgoing Operands and Sizes 


PARAM 


: HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM .RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_SHA1 Complete 


4 


20 


3S 


20 


TPM_DIGEST 


hashValue 


The output of the SHA-1 hash. 



121 



122 

123 
124 
125 

126 
127 



Description 

This command SHALL incorporate a partial or complete block of data into the digest of an 
existing SHA-1 thread, and terminate that thread. hashDataSize MAY have values in the 
range of 0 through 64, inclusive. 

If the SHA-1 thread has received no bytes the TPM SHALL calculate the SHA-1 of the empty 
buffer. 
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128 


13.4 TPM_SHA1CompleteExtend 


129 


Start of informative comment: 


130 
131 


This capability terminates a pending SHA-1 calculation and EXTENDS the result into a 
Platform Configuration Register using a SHA-1 hash process. 


132 
133 


This command is designed to complete a hash sequence and extend a ?CR in merriory-less 
environments. 


134 


End of informative comment. 


135 


Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_SHA1CompleteExtend 


4 


4 


2S 


4 


TPM_PCRINDEX 


pcrNum 


Index of the PCR to be modified 


5 


4 


3S 


4 


UINT32 


hashDataSize 


Number of bytes in hashData, MUST be 64 or less 


6 


<> 


4S 


<> 


BYTE [] 


hashData 


Final bytes to be hashed 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


I # 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_SHA1CompleteExtend 


4 


20 


3S 


20 


TPM.DIGEST 


hashValue 


The output of the SHA-1 hash. 


5 


20 


4S 


20 


TPM_PCRVALUE 


outDigest 


The PCR value after execution of the command. 



137 Description 

138 This command SHALL incorporate a partial or complete block of data into the digest of an 

139 existing SHA-1 thread, EXTEND the resultant digest into a PCR, and terminate the SHA-1 

140 session. hashDataSize MAY have values in the range of 0 through 64, inclusive. 

141 The SHA-1 session MUST terminate even if the command returns an error, e.g. 

1 42 TPM_B AD_LO C ALITY . 

143 Actions 

144 1. Map VI to TPM_STANY_DATA 

145 2. Map LI to VI -> localityModifier 

146 3. If the current locality, held in LI, is not selected in TPM_PERMANENT_DATA -> pcrAttrib 

147 [pcrNum]. pcrExtendLocal, return TPM_BAD_LOCALITY 
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148 4. Create HI the TPM_DIGEST of the SHA-1 session ensuring that hashData, if any, is 

149 added to the SHA-1 session 

150 5. Perform the actions of TPM_Extend using HI as the data and pcrNum as the PCR to 

151 extend 
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152 13.5 TPM_Sign 




156 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_Sign. 


4 


4 






TPM_KEY_HANDLE 


keyHandle 


The keyHandle identifier of a loaded key that can perform digital 
signatures. 


5 


4 


2s 


4 


UINT32 


areaToSignSize 


The size of the areaToSign parameter 


6 


o 


3s 


<> 


BYTEQ 


areaToSign 


The value to sign 


7 


4 






TPM_AUTH HANDLE 


authHandle 


The authorization session handle used for keyHandle authorization 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


10 


20 






TPM_AUTHDATA 


privAuth 


The authorization session digest that authorizes the use of keyHandle. 
HMAC key: key.usageAuth 


Ou 


tgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 




1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP__AUTH 1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM.C0MMANDC0DE 


ordinal 


Command ordinal: TPM_ORD_Sign. 


4 


4 


3S 


4 


UINT32 


sigSize 


The length of the returned digital signature 


5 


o 


4S 


o 


BYTE[] 


sig 


The resulting digital signature. 


6 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
key.usageAuth 



158 Description 

159 The TPM MUST support all values of areaToSignSize that are legal for the defined signature 

160 scheme and key size. The maximum value of areaToSignSize is determined by the defined 

161 signature scheme and key size. 
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162 In the case of PKCSlvl5_SHAl the areaToSignSize MUST be TPM_DIGEST (the hash size of 

163 a SHA-1 operation - see 8.5.1 TPM_SS_RSASSAPKCSlvl5_SHAl). In the case of 

164 PKCSlvl5_DER the maximum size of areaToSign is k-11 octets, where k is limited by the 

165 key size (see TPM_SS_RSASSAPKCSlvl5_DER). 

166 Actions 

167 1. The TPM validates the AuthData to use the key pointed to by keyHandle. 

168 2. If the areaToSignSize is 0 the TPM returns TPM_BAD_PARAMETER. 

169 3. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING or TPM_KEY_LEGACY, if not 

170 return the error code TPMJNVALIDJCEYUSAGE 

171 4. The TPM verifies that the signature scheme and key size can properly sign the 

172 areaToSign parameter. 

173 5. If signature scheme is TPM_SS_RSASSAPKCSlvl5_SHAl then 

174 a. Validate that areaToSignSize is 20 return TPM_J3AD_PARAMETER on error 

175 b. Set SI to areaToSign 

176 6. Else if signature scheme is TPM_SS_RSASSAPKCSlvl5_DER then 

177 a. Validate that areaToSignSize is at least 11 bytes less than the key size, return 

1 78 TPM_BAD_PARAMETER oh error 

179 b. Set SI to areaToSign 

180 7. else if signature scheme is TPM_SS_RSASSAPKCSlvl5_INFO then 

181 a. Create S2 a TPM_SIGN_INFO structure 

182 b. Set S2 -> fixed to "SIGN" 

183 c. Set S2 -> replay to nonceOdd 

184 i. If nonceOdd is not present due to an unauthorized command return 

1 85 TPM_BAD JPARAMETER 

186 d. Set S2 -> dataLen to areaToSignSize 

187 e. Set S2 -> data to areaToSign 

1 88 f . Set S 1 to the SHA- 1 (S2) 

189 8. Else return TPM_INVALID_KEYUSAGE 

190 9. The TPM computes the signature, sig, using the key referenced by keyHandle using SI 

191 as the value to sign 

192 10. Return the computed signature in Sig 
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193 
194 

195 
196 

197 
198 
199 

200 
201 



13.6 TPM GetRandom 



Start of informative comment: 

TPM_GetRandom returns the next bytesRequested bytes from the random number 
generator to the caller. ^ 

It is recommended that a TPM implement the RNG in a manner that would allow it to return 
RNG bytes such that the frequency of bytesRequested being more than the number of bytes 
available is an infrequent occurrence. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_C0 MMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_GetRandom. 


4 


4 


2S 


4 


UINT32 


bytesRequested 


Number of bytes to return 



202 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag I 


3 


4 


1S 


4 


TPM.RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_GetRandom. 


4 


4 


3S 


4 


UINT32 


randomBytesSize 


The number of bytes returned 


5 


<> 


4S 


<> i 


BYTE[] 


randomBytes 


The returned bytes 



203 

204 

205 
206 

207 



Actions 

1 . The TPM determines if amount bytesRequested is available from the TPM. 

2. Set randomBytesSize to the number of bytes available from the RNG. This number MAY 
be less than bytesRequested 

3. Set randomBytes to the next randomBytesSize bytes from the RNG 
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208 13.7 TPM StirRandom 




212 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0M MAN D_C0D E 


ordinal 


Command ordinal: TPM_ORD_StirRandom 


4 


4 


2S 


4 


UINT32 


dataSize 


Number of bytes of input (<256) 


5 


o 


3S 


o 


BYTE[] 


inData 


Data to add entropy to RNG state 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPMjORD^StirRandom 



214 Actions 

215 The TPM updates the state of the current RNG using the appropriate mixing function. 
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13.8 TPIVLCertifyKey 



Start of informative comment: 

The TPM_OertifyKey operation allows one key to certify the public portion of another key/ 

A TPM identity key may be used to certify nqn-migratable keys but is not permitted to 
certify migratory keys or certified migration keys. As such, it allows the TPM to make the 
statement "this key is held in a TPM-shielded location, and it will never be revealed." For 
this statement to have veracity, the Challenger must trust the policies used by the entity 
that issued the identity and the maintenance policy of the TPM manufacturer. 

Signing and legacy keys may be used to certify both migratable and non-migratable keys. 
Then the usefulness of a certificate depends on the trust in the certifying key by the 
recipient ol the certiticate. - 

The key to be certified must be loaded before TPM_CertifyKey is called. 

The determination to use the TPM^CERTIFYJNFO or TPM_CERTIFYTNF02 on the output is 
based on which PCRs and what localities the certified key is restricted to. A key to be 
certified that does not have locality restrictions and which uses no PCRs greater than PGR 
#15 will cause this command return and sign \ a TPM_CERTIFY_INFO structure, which 
provides compatibility with VI . 1 TPMs. 

When this command is run to certify all other keys (those that use PCR #1 6 or higher, as 
well as those limited by locality in any way) it will return and sign a TPM_CERTIFY_INF02 
structure. 

TPM_CertifyKey does nbt support the case where (a) tJie ; certifying a usage 

authorization to be provided but (b) the key- to-be -certified does not. In such cases, 
TPM_CertifyKey2 must be used. 

If a command tag (in the parameter array) specifies only one authorisation session, then the 
TPM convention is that the first session listed is ignored (authDataUsage must be NEVER 
Ifbr this key) and the incoming session data is used for the second auth session in the list. 
Iln TPM_CertifyKey, the first session is the certifying key and the second session is the key- 
to-be -certified. In TPM_CertifyKey2, the first session is the key- to-be -certified and the 
[second session is the certifying key. , 

245 iEnd of informative comment. „ 
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246 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH2_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_CertifyKey 


4 


4 






TPM_KEY_HANDLE 


certHandle 


Handle of the key to be used to certify the key. 


5 


4 






TPM_KEY_HANDLE 


keyHandle 


Handle of the key to be certified. 


b 








TPM NONCE 


antiReplay 


160 bits of externally supplied data (typically a nonce provided to 
prevent replay -attacks) 


7 


4 






TPM_AUTH HANDLE 


certAuthHandle 


The authorization session handle used for certHandle. ' 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with certAuthHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


10 


20 






TPM.AUTHDATA 


certAuth 


The authorization session digest for inputs and certHandle. HMAC key: 
certKey.auth. 


11 


4 






TPM.AUTHHANDLE 


keyAuthHandle 


The authorization session handle used for the key to be signed. 






2H2 


20 


TPM_NONCE 


keylastNonceEven 


Even nonce previously generated by TPM 


12 


20 


3H2 


20 


TPM.NONCE 


keynonceOdd 


Nonce generated by system associated with keyAuthHandle 


13 


1 


4H2 


1 


BOOL 


continueKeySession 


The continue use flag for the authorization session handle 


14 


20 






TPM_AUTHDATA 


keyAuth 


The authorization session digest for the inputs and key to be signed. 
HMAC key: key.usageAuth. 
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247 Outgoing Operands and Sizes 



Param 


HMAC 


Type 


Name 


Description 


# 


Sz 


# 


Sz 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH2_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_CertifyKey 


4 


<> 


3S 


<> 


TPM.CERTIFYJNFO 


certifylnfo 


1 rM_C/tK 1 lrY_INrU or 1 rM_OtK 1 lr Y__INrU£ SiruCiUre uiai 
provides information relative to keyhandle 


5 


4 


4S 


4 


UINT32 


outDataSize 


The used size of the output area for outData 


6 


o 


5S 


<> 


BYTE[] 


outData 


The signature of certifylnfo 


7 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM 






3H1 


20 




nonceOdd 


iNonce generaieo oy sysxem assoudieu wixn t^nMuuinanaie 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag for cert key session 


9 


20 




20 


TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters and 
parentHandle. HMAC key: certKey -> auth. 


10 


20 


2H2 


20 


TPMJJONCE 


keyNonceEven 


Even nonce newly generated by TPM 






3H2 


20 


TPM_N0NCE 


keynonceOdd 


Nonce generated by system associated with keyAuthHandle 


11 


1 


4H2 


1 


BOOL 


continueKey Session 


Continue use flag for target key session 


12 


20 






TPM_AUTHDATA 


keyAuth 


The authorization session digest for the target key. HMAC key: 
key. auth. 



248 Actions 

249 1. The TPM validates that the key pointed to by certHandle has a signature scheme of 

2 50 TP1VLSS_RSASSAPKCS 1 v 1 5_SHA 1 

251 2. Verify command and key AuthData values: 

252 a. If tag is TPM_TAG_RQU_AUTH2_COMMAND 

253 i. The TPM verifies the AuthData in certAuthHandle provides authorization to use 

254 the key pointed to by certHandle, return TPM_AUTHFAIL on error 

255 ii. The TPM verifies the AuthData in keyAuthHandle provides authorization to use 

256 the key pointed to by keyHandle, return TPM_AUTH2FAIL on error 

257 b. else if tag is TPM_TAG_RQU_AUTH l_COMMAND 

258 L Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by 

259 certHandle, return TPM_AUTHFAIL on error. 

260 ii. The TPM verifies the AuthData in keyAuthHandle provides authorization to use 

261 the key pointed to by keyHandle, return TPM_AUTHFAIL on error 

262 c. else if tag is TPMJTAG_RQU_COMMAND 

263 i. Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by 

264 certHandle, return TPM_AUTHFAIL on error. 
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265 ii. Verify that authDataUsage is TPM_AUTH_NEVER or TPM_AUTH^PRIVJJSE_ONLY 

266 for the key referenced by keyHandle, return TPM_AUTHFAIL on error. 

267 3. If the key pointed to by certHandle is an identity key (certHandle -> keyUsage is 

268 TPMJCEYJDENTITY) 

269 a. If keyHandle -> keyFlags -> migratable is TRUE return TPM__MIGRATEFAIL 

270 4. If keyHandle -> digestAtRelease requires the use of PCRs 16 or higher to calculate or if 

271 keyHandle -> localityAtRelease is not Ox IF 

272 a. Set VI to 1.2 

273 5. Else 

274 a. Set VI to 1.1 

275 6. If keyHandle -> pcrlnfoSize is not 0 

276 a. If keyHandle -> keyFlags has pcrlgnoredOnRead set to FALSE 

277 i. Create a digestAtRelease according to the specified TPM_STCLEAR_DATA -> PGR 

278 registers and compare to keyHandle -> digestAtRelease and if a mismatch return 

279 TPMJWRONGPCRVAL 

280 ii. If specified validate any locality requests on error TPM__BAD_LOCALITY 

281 b. If VI is 1.1 

282 i. Create CI a TPM_CERTIFY_INFO structure 

283 ii. Fill in CI with the information from the key pointed to by keyHandle 

284 iii. The TPM MUST set cl -> pcrlnfoSize to 44. 

285 iv. The TPM MUST set cl -> pcrlnfo to a TPM_PCR_INFO structure properly filled out 

286 using the information from keyHandle. 

287 v. The TPM MUST set cl -> digestAtCreation to 20 bytes of 0x00. 

288 c. Else 

289 i. Create Cl a TPM_CERTIFY_JNF02 structure 

290 ii. Fill in Cl with the information from the key pointed to by keyHandle 

291 iii. Set Cl -> pcrlnfoSize to the size of an appropriate TPM_PCRJNFO„SHORT 

292 structure. 

293 iv. Set Cl -> pcrlnfo to a properly filled out TPM_PCRJNFO_SHORT structure, using 

294 the information from keyHandle. 

295 v. Set Cl -> migrationAuthoritySize to 0 

296 7. Else 

297 a. Create Cl a TPM_CERTIFY_INFO structure 

298 b. Fill in Cl with the information from the key pointed to by keyHandle 

299 c. The TPM MUST set cl -> pcrlnfoSize to 0 

300 8. Create TPMJDIGEST HI which is the SHA-1 hash of keyHandle -> pubKey -> key. Note 

301 that <key> is the actual public modulus, and does not include any structure formatting. 
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302 9. Set Cl -> pubKeyDigest to HI 

303 10. The TPM copies the antiReplay parameter to cl -> data. 

304 1 l.The TPM sets certifylnfo to Cl. 

305 12. The TPM creates ml, a message digest formed by talking the SHA1 of cl. 

306 a. The TPM then computes a signature using certHandle -> sigScheme. The resulting 

307 signed blob is returned in outData. 
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308 

309 

310 
311 

312 

313 
314 

315 
316 
317 
318 
319 

320 
321 



13.9 TPM_CertifyKey2 



Start of informative comment: 

This command is based on TPM CertifyKey, but includes the ability to certify a Certifiable 
Migration Key (CMK), which requires extra input parameters. 

TPM_CertifyKey2 always produces a TPM_CERTIFY_INF02 structure. 

TPM_CertifyKey2 does not support the case where (a) the key-to-be -certified requires a 
usage authorization to be provided but (b) the certifying key does not. 

If a command tag (in the parameter array) specifies only one authorisation session, then the 
TPM convention is that the first session listed is ignored (authDataUsage must be NEVER 
for this key) and the incoming session data is used for the second auth session in the list. 
In TPM_CertifyKey2, the first session is the key to be certified and the second session is thej 
certifying key. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH2_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command oidinat TPM_0RD_CertifyKey2 


I 4 


4 






TPM_KEY_HAN DLE 


keyHandle 


Handle of the key to be certified. 


5 


4 






TPM_KEY_HANDLE 


certHandle 


Handle of the key to be used to certify the key. 


6 


20 


2S 


20 


TPM_DIGEST 


migrationPubDigest 


The digest of a TPM_MSA_COMPOSITE structure, containing at least 
one public key of a Migration Authority 


7 


20 


3S 


20 


TPM.NONCE 


antiReplay 


160 bits of externally supplied data (typically a nonce provided to 
prevent replay -attacks) 


8 


4 






TPM_AUTHHANDLE 


keyAuthHandle 


The authorization session handle used for the key to be signed. 






2H1 


20 


TPMJMONCE 


keylastNonceEven 


Even nonce previously generated by TPM 


9 


20 


3H1 


20 


TPM.NONCE 


keynonceOdd 


Nonce generated by system associated with keyAuthHandle 


10 


1 


4H1 


1 


BOOL 


continueKeySession 


The continue use flag for the authorization session handle 


11 


20 






TPM_AUTHDATA 


keyAuth 


The authorization session digest for the inputs and key to be signed. 
HMAC key: key.usageAuth. 


12 


4 






TPM_AUTHHANDLE 


certAuthHandle 


The authorization session handle used for certHandle. 






2H2 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


13 


20 


3H2 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with certAuthHandle 


14 


1 


4H2 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


15 


20 






TPM.AUTHDATA 


certAuth 


Authorization HMAC key: certKey.auth. 
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322 Outgoing Operands and Sizes 



Param 


HMAC 


Type 


Name 


Description 


# 


Sz 


# 


Sz 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH2_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal TPM_ORD_CertifyKey2 


4 


o 


3S 


<> 


TPM.CERTIFYJNFCE 


certifylnfo 


TPM_CERTIFYJNF02 relative to keyHandle 


5 


4 


4S 


4 


UINT32 


outDataSize 


The used size of the output area for outData 


6 


o 


5S 


<> 


BYTE[] 


outData 


The signed public key. 


7 


20 


2H1 


20 


TPM_N0NCE 


keyNonceEven 


Even nonce newly generated by TPM 






3H1 


20 


TPMJMONCE 


keyNonceOdd 


Nonce generated by system associated with certAuthHandle 


8 


1 


4H1 


1 


BOOL 


keyContinueAuthSession 


Continue use flag for cert key session 


9 


20 




20 


TPM_AUTHDATA 


keyResAuth 


Authorization HMAC key: keyHandle -> auth. 


10 


20 


2H2 


20 


TPM.N0NCE 


certNonceEven 


Even nonce new ly generated by TPM 






3H2 


20 


TPM_N0NCE 


AuthLastNonceOdd 


Nonce generated by system associated with certAuthHandle 


11 


1 


4H2 


1 


BOOL 


CertC ontinueAuthSession 


Continue use flag for cert key session 


12 


20 




20 


TPM.AUTHDATA 


certResAuth 


Authorization HMAC key: certHandle -> auth. 



323 Actions 

324 1. The TPM validates that the key pointed to by certHandle has a signature scheme of 

325 TPM_SS_RSASSAPKCS 1 v 1 5_SHA 1 

326 2. Verify command and key AuthData values: 

327 a. If tag is TPM_TAG_RQU_AUTH2_COMMAND 

328 i. The TPM verifies the AuthData in keyAuthHandle provides authorization to use 

329 the key pointed to by keyHandle, return TPM_AUTHFAIL on error 

330 ii. The TPM verifies the AuthData in certAuthHandle provides authorization to use 

331 the key pointed to by certHandle, return TPM_AUTH2 FAIL on error 

332 b. else if tag is TPM_TAG_RQU_AUTH l_COMMAND 

333 i. Verify that authDataUsage is TPM_AUTH_NEVER or TPM_AUTH_PRIV_USE_ONLY 

334 for the key referenced by keyHandle, return TPM_AUTHFAIL on error 

335 ii. The TPM verifies the AuthData in certAuthHandle provides authorization to use 

336 the key pointed to by certHandle, return TPM_AUTH2 FAIL on error 

337 c. else if tag is TPMJTAG_RQU_COMMAND 

338 i. Verify that authDataUsage is TPM^AUTHJNfEVER or TPM_AUTH_PRIV_USE_ONLY 

339 for the key referenced by keyHandle, return TPM_AUTHFAIL on error 

340 ii. Verify that authDataUsage is TPM_AUTH_NEVER for the key referenced by 

341 certHandle, return TPM_AUTHFAIL on error. 
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342 3. If the key pointed to by certHandle is an identity key (certHandle -> keyUsage is 

343 TPM_KEY_IDENTITY) 

344 a. If keyHandle -> keyFlags -> migratable is TRUE and [keyHandle -> keyFlags-> 

345 migrateAuthority is FALSE or (keyHandle -> payload != TPM_PT__MIGRATE_RESTRICTED 

346 and keyHandle -> payload != TPM_PT_MIGRATE_EXTERNAL)] return 

347 TPM_MIGRATEFAIL 

348 4. The TPM SHALL create a cl a TPM_CERTIFY_INF02 structure from the key pointed to 

349 by keyHandle 

350 5. Create TPM_DIGEST HI which is the SHA-1 hash of keyHandle -> pubKey -> key. Note 

351 that <key> is the actual public modulus, and does not include any structure formatting. 

352 6. Set Cl -> pubKeyDigest to HI 

353 7. Copy the antiReplay parameter to cl -> data 

354 8. Copy other keyHandle parameters into Cl 

355 9. If keyHandle -> payload == TPM_PT_MIGRATE_RESTRICTED or 

356 TPM_PT_MIGRATE_EXTERNAL 

357 a. create thisPubKey, a TPM_PUBKEY structure containing the public key, algorithm 

358 and parameters corresponding to keyHandle 

359 b. Verify that the migration authorization is valid for this key 

360 i. Create M2 a TPM_CMK„MIGAUTH structure 

361 ii. Set M2 -> msaDigest to migrationPubDigest 

362 iii. Set M2 -> pubkeyDigest to SHA1 [thisPubKey] 

363 iv. Verify that [keyHandle -> migrationAuth] == HMAC(M2) signed by using tpmProof 

364 as the secret and return error TPM_MA_SOURCE on mismatch 

365 c. Set Cl -> migrationAuthority = SHA- 1 (migrationPubDigest | | keyHandle -> payload) 

366 d. if keyHandle -> payload == TPM_PT__MIGRATE_RESTRICTED 

367 i. Set Cl -> payloadType = TPMJPT_MIGRATE_RESTRICTED 

368 e. if keyHandle -> payload == TPM_PT_MIGRATE_EXTERNAL 

369 i. Set Cl -> payloadType - TPM_PT_MIGRATE_EXTERNAL 

370 10. Else 

371 a. set Cl -> migrationAuthority = NULL 

372 b. set Cl -> migrationAuthoritySize =0 

373 c. Set Cl -> payloadType = TPM_PT_ASYM 

374 1 l.If keyHandle -> pcrlnfoSize is not 0 

375 a. The TPM MUST set cl -> pcrlnfoSize to match the pcrlnfoSize from the keyHandle 

376 key. 

377 b. The TPM MUST set cl -> pcrlnfo to match the pcrlnfo from the keyHandle key 

378 c. If keyHandle -> keyFlags has pcrlgnoredOnRead set to FALSE 
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379 i. Create a digestAtRelease according to the specified TPM_STCLEAR_DATA -> PCR 

380 registers and compare to keyHandle -> digestAtRelease and if a mismatch return 

381 TPM_WRONGPCRVAL 

382 ii. If specified validate any locality requests on error TPMJ3ADJLOCALITY 

383 12. Else 

384 a. The TPM MUST set cl -> pcrlnfoSize to 0 

385 13. The TPM creates ml, a message digest formed by taking the SHA1 of cl 

386 a. The TPM then computes a signature using certHandle -> sigScheme. The resulting 

387 signed blob is returned in outData 
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388 

389 

390 
391 

392 
393 

394 
395 
396 

397 

398 
399 



14. Endorsement Key Handling 



Start of informative comment: 

There are two create EK commands. The first matches the 1. 1 functionality. The second 
provides the mechanism to enable revokeEK. 

The TPM and platform manufacturer decide on the inclusion or exclusion of the ability to 
execute revokeEK. ■ .. < v-^ 

The restriction to have the TPM generate the EK does not remove the manufacturing option 
to "squirt" the EK. During manufacturing, the TPM does not enforce all protections or 
requirements; hence, the restriction on only TPM generation of the EK is also not in force. 

End of informative comment. ■ ' \ }(<■■■ 



1. A TPM SHALL NOT install an EK unless generated on the TPM by execution of 
TPM_CreateEndorsementKeyPair or TPM__CreateRevocableEK 
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401 

402 
403 



400 14.1 TPM_CreateEndorsementKeyPair 

This command creates the TPM endorsement key. It returns a failure code if an 
endorsement key already exists. 

404 End of informative comment. 



405 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_JAG_RQU_C0MMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_CreateEndorsementKeyPair 


4 


20 


2S 


20 


TPM.N0NCE 


antiReplay 


Arbitrary data 


5 


o 


3S 


o 


TPM_KEY_PARMS 


key Info 


Information about key to be created, this includes all algorithm parameters 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_CreateEndorsementKeyPair ' 


4 


<> 


3S 


<> 


TPM_PUBKEY 


pubEndorsementKey 


The public endorsement key 


5 


20 


4S 


20 


TPM.DIGEST 


checksum 


Hash of pubEndorsementKey and antiReplay 



406 



407 

408 

409 

410 
411 

412 
413 

414 

415 
416 

417 

418 

419 



Actions 

1 . If an EK already exists, return TPM_DISABLED_CMD 

2. Validate the keylnfo parameters for the key description 

a. If the algorithm type is RSA the key length MUST be a minimum of 2048. For 
interoperability the key length SHOULD be 2048 

b. If the algorithm type is other than RSA the strength provided by the key MUST be 
comparable to RSA 2048 

c. The other parameters of keylnfo (signatureScheme etc.) are ignored. 

3. Create a key pair called the "endorsement key pair" using a TPM- protected capability. 
The type and size of key are that indicated by keylnfo 

4. Create checksum by performing SHA1 on the concatenation of (PUBEK | | antiReplay) 

5. Store the PRTVEK 

6. Create TPM_PERMANENT_DATA -> tpmDAASeed from the TPM RNG 
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7. Set TPM_PERMANENT_FLAGS -> CEKPUsed to TRUE 

8. Set TPM PERMANENT FLAGS -> enableRevokeEK to FALSE 
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422 

423 

424 
425 
426 

427 
428 
429 
430 

431 
432 

433 
434 
435 
436 
437 

438 

439 

440 
441 
442 

443 
444 
445 
446 

447 
448 
449 

450 

451 



14.2 TPM CreateRevocableEK 



Start of informative comment: 

This command creates the TPM endorsement key. It returns a failure code if an 
endorsement key already exists. The TPM vendor may have a separate mechanism to create: 
the EK and "squirt" the value into the TPM. 

The input parameters specify whether the EK is capable of being reset, whether the 
AuthData value to reset the EK will be generated by the TPM, and the new AuthData value 
itself if it is not to be generated by the TPM. The output parameter is the new AuthData 
value that must be used when resetting the EK (if it is capable of being reset) . 

The command TPM_RevokeTrust must be used to reset an EK (if it is capable of being 
reset). 

Owner authorisation is unsuitable for authorizing resetting of an EK: someone with 
Physical Presence can remove a genuine Owner, install a new Owner, and revoke the EK. 
The genuine Owner can reinstall, but the platform will have lost its original attestation and 
may not be trusted by challengers. Therefore if a password is to be used to revoke an EK, it 
must be a separate password, given to the genuine Owner. 



In vl.2 an OEM has extra choices when creating EKs. 

a) An OEM could manufacture all of its TPMs with enableRevokeEK==TRUE. 

If the OEM has tracked the EKreset passwords for these TPMs, the OEM can give the 
passwords to customers. The customers can use the passwords as supplied, change the 
passwords, or clear the EKs and create new EKs with hew passwords. 

If EKreset passwords are random values, the OEM can discard those values and not give 
them to customers. There is then a low probability (statistically zero) chance of a local DOS 
attack to reset the EK by guessing the password. The chance of a remote DOS attack is zero ! 
because Physical Presence must also be asserted to use TPM_RevokeTrust. 

b) An OEM could manufacture some of its TPMs with enableRevokeEK==FALSE. Then the 
[EK can never be revoked, and the chance of even a local DOS attack on the EK is 
■eliminated. 

End of informative comment. 



This is an optional command 
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452 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_CreateRevocableEK 


4 


20 


2S 


20 


TPM_N0NCE 


antiReplay 


Arbitrary data 


5 


o 


3S 


o 


TPM_KEY_PARMS 


key Info 


Information about key to be created, this includes all algorithm parameters 


6 


1 


4S 


1 


BOOL 


generateReset 


If TRUE use TPM RNG to generate EKreset. If FALSE use the passed 
value inputEKreset 


7 


20 


5S 


20 


TPM_N0NCE 


inputEKreset 


The authorization value to be used with TPM_RevokeTrust if 
generateReset==FALSE, else the parameter is present but ignored 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RS P_COM M AN D 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CreateRevocableEK 


4 


o 


3S 


o 


TPM_PUBKEY 


pubEndorsementKey 


The public endorsement key 


5 


20 


4S 


20 


TPM_DIGEST 


checksum 


Hash of pubEndorsementKey and antiReplay 


6 


20 


5S 


20 


TPM_N0NCE 


outputEKreset 


The AuthData value to use TPM_RevokeTrust 



454 


Actions 


455 


1. 


If an EK already exists, return TPM_DISABLED_CMD 


456 


2. 


Perform the actions of TPM_CreateEndorsementKeyPair, if any errors return with error 


457 


3. 


Set TPM_PERMANENT_FLAGS -> enableRevokeEK to TRUE 


458 




a. If generateReset is TRUE then 


459 




i. Set TPM_PERMANENT_DATA -> EKreset to the next value from the TPM RNG 


460 




b. Else 


461 




i. Set TPM_PERMANENT_DATA -> EKreset to inputEKreset 


462 


4. 


Return PUBEK, checksum and Ekreset 


463 


5. 


Create TPM_PERMANENT_DATA -> tpmDAASeed from the TPM RNG 


464 
465 
466 
467 


6. 


The outputEKreset AuthData is sent in the clear. There is no uniqueness on the TPM 
available to actually perform encryption or use an encrypted channel. The assumption is 
that this operation is occurring in a controlled environment and sending the value in the 
clear is acceptable. 
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468 

469 

470 
471 
472 

473 

474 

475 



14.3 TPM RevokeTrust 



Start of informative comment: 



Dmmand clears the EK and sets the TPM back to a pure default state. The generation 



111 

This command 

of the AuthData value; occurs during the generation of the EK. It is the responsibility of the 
EK generator to properly protect and disseminate the RevokeTrust AuthData 

End of informative comment. 



This is an optional command 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MM AN D_CODE 


ordinal 


Command ordinal: TPM_ORD_RevokeTrust 


4 


20 


2S 


20 


TPM.DIGEST 


EKReset 


The value that will be matched to EK Reset 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_RevokeTrust 



476 



477 

478 
479 

480 
481 

482 

483 

484 
485 

486 

487 

488 



Actions 

1 



The TPM MUST validate that TPM_PERMANENT_FLAGS 
return TPM PERMANENTEK on error 



-> enableRevokeEK is TRUE, 



2. The TPM MUST validate that the EKReset matches TPM_PERMANENT_DATA -> EKReset 
return TPM_AUTHFAIL on error. 

3. Ensure that physical presence is being asserted 

4. Perform the actions of TPM_OwnerClear (excepting the command authentication) 

a. NV items with the publnfo -> nvlndex D value set MUST be deleted. This changes the 
TPM_OwnerClear handling of the same NV areas 

b. Set TPM_PERMANENT_FLAGS -> nvLocked to FALSE 

5. Invalidate TPM_PERMANENT_DATA -> tpmDAASeed 

6. Invalidate the EK and any internal state associated with the EK 
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489 

490 

491 
492 

493 
494 

495 
496 



14.4 TPM ReadPubek 



Start of informative comment: 



Return the endorsement key public portion. This value should have controls placed upon 
access, as it is a privacy sensitive value. • 

The ; readPubek flag is set to FALSE by , TPMJTakeOWnership and set to TRUE by 
TPM_OwnerClear, thus mirroring if a TPM Owner is present. 



Endx>f inform 



Incoming Operands and Sizes 



PARAM 


[ HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU„COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAN D_CODE 


ordinal 


Command ordinal: TPM_ORD_ReadPubek 


4 


20 


2S 


20 


TPM.NONCE 


antiReplay 


Arbitrary data 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReadPubek 


4 


<> 


3S 


<> 


TPM.PUBKEY 


pubEndorsementKey 


The public endorsement key 


5 


20 


4S 


20 


TPM.DIGEST 


checksum 


Hash of pubEndorsementKey and antiReplay 



497 



498 
499 

500 

501 

502 

503 

504 
505 

506 



Description 

This command returns the PUBEK. 
Actions 

The TPM_ReadPubek command SHALL 

1. If TPM_PERMANENT_FLAGS -> readPubek is FALSE return TPM_DISABLED_CMD 

2. If no EK is present the TPM MUST return TPM_NO_ENDORSEMENT 

3. Create checksum by performing SHA1 on the concatenation of (pubEndorsementKey | | 
antiReplay). 

4. Export the PUBEK and checksum. 
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507 

508 

509 

510 
511 
512 

513 
514 



14.5 TPM OwnerReadlnternalPub 



Start 'of informative comment: 



A TPM Owner authorized command that returns th^ of the EK or SRK, 

The keyHandle parameter is included in the incoming session authorization to prevent 
alteration of the value ] causing a different key to be read. Unlike most; key handles, which 
can be mapped by higher layer software, this key handle has only two fixed values. 



End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 1 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_AUTH 1 _C0MMAN D j 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_OwnerReadlntemalPub 


4 


4 


2S 


4 


TPM_KEY_HANDLE 


keyHandle 


Handle for either PUBEK or SRK 


5 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authenticatioa 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3H1 


20 


TPM.N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for be authorization session handle 


8 


20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner authentication. 
HMAC key: ownerAuth. 


Ou 


tgo 


ing C 


>perands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG _RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_0RD_0wnerReadlnternalPub 


4 


o 


3S 


o 


TPM_PUBKEY 


publicPortion 


The public portion of the requested key 


5 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth. 



515 



516 
517 
518 
519 



Actions 

1 . Validate the parameters and TPM Owner AuthData for this command 

2. If keyHandle is TPM_KH_EK 

a. Set publicPortion to PUBEK 
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520 3. Else If keyHandle is TPM__KI-LSRK 

52 1 a. Set publicPortion to the TPM_PUBKEY of the SRK 

522 4. Else return TPM_BAD_PARAMETER 

523 5, Export the public key of the referenced key 
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524 15. Identity Creation and Activation 

525 15.1 TPMJVIakeldentity 



526 
527 
528 



P^P! /Aim 
Generate a new Attestation Identity Key (AIK) 

Enid of iriformaHve cbminent. 



529 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH2_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes ind. paramSize and tag 


3 


4 


1S 


4 


TPM.COMMANDCODE 


ordinal 


Command ordinal: TPM_ORD_Maketdentity. 


4 


20 


2S 


20 


TPM.ENCAUTH 


identityAuth 


Encrypted usage AuthData for the new identity 


5 


20 


3S 


20 


TPM_CHOSENIDJHASH 


labeiPrivCADigest 


The digest of the identity label and privacy CA chosen for the AIK 


6 


o 


4S 


<> 


TPM_KEY 


idKeyParams 


Structure containing ail parameters of new identity key. 
pubKey.keyLength & idKeyParams.encData are both OMAYbe 
TPM_KEY12 


7 


4 






TPMJMJTHHANDLE 


srkAuthHandle 


The authorization session handle used for SRK authorization. 






2H1 


20 


TPM_N0NCE 


srkLastNonceEven 


Even nonce previously generated by TPM 


8 


20 


3H1 


20 


TPMJMONCE 


srknonceOdd 


Nonce generated by system associated with srkAuthHandle 


9 


1 


4H1 


1 


BOOL 


continueSrkSession 


Ignored 


10 


20 






TPM_AUTHDATA 


srkAuth 


The authorization session digest for the inputs and the SRK. HMAC 
key: srk.usageAuth. 


11 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authenticatioa 
Session type MUST be OSAP. 






2H2 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


12 


20 


3H2 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


13 


1 


4H2 


1 


BOOL 


continueAuthSession 


Ignored 


14 


20 




20 


TPM.AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner. HMAC key: 
ownerAuth. 
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530 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH2_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal:TPM_ORD_Makeldentity. 


4 


<> 


3S 


<> 


TPIVL.KEY 


idKey 


The newly created identity key . MAY be TPM_KEY12 


5 


4 


4S 


4 


UINT32 


identityBindingSize 


The used size of the output area for identityBinding 


6 


<> 


5S 


<> 


BYTE[] 


identityBinding 


Signature of TPM_IDENTITY_CONTENTS using idKey.private. 


"7 
1 




2H2 


20 


TPM.N0NCE 


srkNonceEven 


Even nonce newly generated by TPM. 






3H2 


20 


TPM_N0NCE 


srknonceOdd 


Nonce generated by system associated with srkAuthHandle 


8 


1 


4H2 


1 


BOOL 


continueSrkSession 


Continue use flag. Fixed value of FALSE 


9 


20 






TPM.AUTHDATA 


srkAuth 


The authorization session digest used for the outputs and srkAuth 
session. HMAC key: srk.usageAuth. 


10 


20 


2H1 


20 


TPMJMONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


11 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag. Fixed value of FALSE 


12 


20 




20 


TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth. 



531 Description 

532 The public key of the new TPM identity SHALL be identityPubKey. The private key of the 

533 new TPM identity SHALL be tpm_signature_key. 

534 Properties of the new identity 



Type 


Name 


Description 


TPM_PUBKEY 


identityPubKey 


This SHALL be the public key of a previously unused asymmetric key pair. 


TPM_STORE_ASYMKEY 


tpm_signature_key 


This SHALL be the private key that forms a pair with identityPubKey and SHALL be 
extant only in a TPM -shielded location. 



535 

536 This capability also generates a TPM_KEY containing the tpm_signature_key. 

537 If identityPubKey is stored on a platform it SHALL exist only in storage to which access is 

538 controlled and is available to authorized entities. 

539 Actions 

540 A Trusted Platform Module that receives a valid TPM_MakeIdentity command SHALL do the 

541 following: 

542 1 . Validate the idKeyParams parameters for the key description 

543 a. If the algorithm type is RSA the key length MUST be a minimum of 2048. For 

544 interoperability the key length SHOULD be 2048 
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545 b. If the algorithm type is other than RSA the strength provided by the key MUST be 

546 comparable to RSA 2048 

547 c. If the TPM is not designed to create a key of the requested type, return the error code 

548 TPM„BAD„KEY_PROPERTY 

549 d. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then 

550 i. If authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS 

551 2. Use authHandle to verify that the Owner authorized all TPMJMakeldentity input 

552 parameters. 

553 3. Use srkAuthHandle to verify that the SRK owner authorized all TPM_MakeIdentity input 

554 parameters. 

555 4. Verify that idKeyParams -> keyUsage is TPMJCEYJDENTITY. If it is not, return 

556 TPM_INVALID_KEYUSAGE 

557 5. Verify that idKeyParams -> keyFlags -> migratable is FALSE. If it is not, return 

558 TPM_INVALID_KEYUSAGE 

559 6. If authHandle indicates XOR encryption for the AuthData secrets 

560 a. Create XI the SHA-1 of the concatenation of (ownerAuth -> sharedSecret | | 

561 authLastNonceEven) 

562 b. Create al by XOR XI and identityAuth 

563 7. Else 

564 a. Create al by decrypting identityAuth using the algorithm indicated in the OSAP 

565 session 

566 b. Key is from ownerAuth -> sharedSecret 

567 c. IV is SHA-1 of (authLastNonceEven | | nonceOdd) 

568 8. Set continueAuthSession and continueSRKSession to FALSE. 

569 9. Determine the structure version 

570 a. If idKeyParms -> tag is TPM_TAG_KEY 1 2 

571 i. SetVlto2 

572 ii. Create idKey a TPM_KEY12 structure using idKeyParams as the default values for 

573 the structure 

574 b. If idKeyParms -> ver is 1 . 1 

575 i. SetVltol 

576 ii. Create idKey a TPM_KEY structure using idKeyParams as the default values for 

577 the structure 

578 10. Set the digestAtCreation values for pcrlnfo 

579 a. For TPM_PCR_INFO_LONG include the locality of the current command 

580 11. Create an asymmetric key pair (identityPubKey and tpm_signature_key) using a TPM- 

581 protected capability, in accordance with the algorithm specified in idKeyParams 
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582 12. Ensure that the AuthData information in A 1 is properly stored in the idKey as 

583 usageAuth. 

584 13. Attach identity PubKey and tpm_signature_key to idKey 

585 14. Set idKey -> migrationAuth to TPM_PERM ANENT_DATA~ > tpmProof 

586 15. Ensure that all TPM_PAYLOAD_TYPE structures identify this key as TPM_PT_ASYM 

587 16. Encrypt the private portion of idKey using the SRK as the parent key 

588 17. Create a TPM_IDENTITY_CONTENTS structure named idContents using 

589 labelPrivCADigest and the information from idKey 

590 18. Sign idContents using tpm_signature_key and TPM_SSJRSASSAPKCSlvl5_SHAl. Store 

59 1 the result in identityBinding. 



Level 2 Revision 94 29 March 2006 Draft 



149 

TCG Published 



Copyright © TCG 



TPM Main Part 3 Commands 
Specification Version 1.2 



592 

593 

594 
595 
596 

597 
598 
599 

500 
601 

602 
603 
604 

605 
606 

607 
608 



15.2 TPM_Activateldentity 

Start of informative comment: ~ j 

The purpose of TPM_ActivateIdentity is to twofold. The first purpose is to obtain assurance i 
that the credential in the TPM_SYM_CA_ATTESTATION is for this TPM. The second purpose 
is to obtain the session key used to encrypt the TPM_IDENTITY_CREDENTIAL. 

This is an extension to the 1.1 functionality of TPM_ActivateIdentity. The blob sent to from 
the CA can be in the 1.1 format or the 1.2 format. The TPM determines the type from the 
size or version information in the blob. ; 

TPM_ActivateIdentity checks that the symmetric session key corresponds to a TPM-identity 
before releasing that session key. 

Only the Owner of the TPM has the privilege of activating a TPM identity. The Owner is 
required to authorize the TPM_ActivateIdentity command. The owner may authorize the 
command using either the TPM_OIAP or TPM_OSAP authorization protocols. 

The creator of the Activateldentity package can specify if any PCR values are to be checked 
before releasing the session key. 

End of informative comment. " ; : ; : _j ■ -p-^'-A- ;■ ' 

Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH2_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes incl. paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_Activateldentity 


4 


4 






TPM_KEY_HANDLE 


IdKey Handle 


Identity key to be activated 


5 


4 


2S 


4 


UINT32 


blobSize 


Size of encrypted blob from CA 


6 


o 


3S 


<> 


BYTE [ ] 


blob 


The encrypted ASYM_CA_CONTENTSorTPM_EK_BLOB 


7 


4 






TPM_AUTHHANDLE 


idKeyAuthHandle 


The authorization session handle used for ID key authorization. 






2H1 


20 


TPM.NONCE 


idKeyLastNonceEven 


Even nonce previously generated by TPM 


8 


20 


3H1 


20 


TPM„N0NCE 


idKeynonceOdd 


Nonce generated by system associated with idKeyAuthHandle 


9 


1 


4H1 


1 


BOOL 


continueldKeySession 


Continue usage flag for idKeyAuthHandle. 


10 


20 






TPM_AUTHDATA 


IdKeyAuth 


The authorization session digest for the inputs and ID key. HMAC key: 
idKey.usageAuth. 


11 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authenticate 






2H2 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


12 


20 


3H2 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


13 


1 


4H2 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


14 


20 




20 


TPM.AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner. HMAC key: 
ownerAuth. 
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609 Outgoing Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH2_COMMAND 


2 


4 






UINT32 


para m Size 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal:TPM_ORD_Adivateldentity 


4 


o 


3S 


<> 


TPM_SYMMETRIC_KEY 


symmetricKey 


The decrypted symmetric key. 


5 


20 


2H1 


20 


TPM_N0NCE 


idKeyNonceEven 


Even nonce newly generated by TPM. 






3H1 


20 


TPM NONCE 

1 1 IVI IIVIIVL 


itiKpvnonceOdd 


Noncp aeneratpd bv svstem associated with id KevAuth Handle 


6 


1 


4H1 


1 


BOOL 


continueldKeySession 


Continue use flag, TRUE if handle is still active 


7 


20 






TPM_AUTHDATA 


idKeyAuth 


The authorization session digest used for the returned parameters and 
idKeyAuth session. HMAC key: idKey.usageAuth. 


8 


20 


2H2 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H2 


20 


TPMJJONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H2 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


10 


20 




20 


TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC 
key: ownerAuth. 



610 Description 

611 1 . The command TPM_ActivateIdentity activates a TPM identity created using the command 

612 TPM_MakeIdentity. 

613 2. The command assumes the availability of the private key associated with the identity. 

614 The command will verify the association between the keys during the process. 

615 3. The command will decrypt the input blob and extract the session key and verify the 

616 connection between the public and private keys. The input blob can be in 1.1 or 1.2 

617 format. 

618 Actions 

619 A Trusted Platform Module that receives a valid TPM_ActivateIdentity command SHALL do 

620 the following: 

621 1 . Using the authHandle field, validate the owner's AuthData to execute the command and 

622 all of the incoming parameters. 

623 2. Using the idKeyAuthHandle, validate the AuthData to execute command and all of the 

624 incoming parameters 

625 3. Validate that the idKey is the public key of a valid TPM identity by checking that 

626 idKeyHandle -> keyUsage is TPM_KEY_IDENTITY. Return TPM_BAD_PARAMETER on 

627 mismatch 

628 4. Create HI the digest of a TPM_PUBKEY derived from idKey 

629 5. Decrypt blob creating Bl using PRIVEK as the decryption key 
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630 6. Determine the type and version of Bl 

63 1 a. If B 1 -> tag is TPM_TAG_EK_BLOB then 

632 i. B 1 is a TPM_EK_BLOB 

633 b. Else 

634 i. Bl is a TPM_ASYM_CA_CONTENTS . As there is no tag for this structure it is 

635 possible for the TPM to make a mistake here but other sections of the structure 

636 undergo validation 

637 7. If Bl is a version 1.1 TPM_ASYM__CA__CONTENTS then 

638 a. Compare HI to Bl -> idDigest on mismatch return TPMJBAD_PARAMETER 

639 b. Set Kl to Bl -> sessionKey 

640 8. If B 1 is a TPM_EK_BLOB then 

641 a. Validate that Bl -> ekType is TPM_EK_TYPE_ACTIVATE , return TPM_BAD_TYPE if 

642 not. 

643 b. Assign Al as a TPM_EK_BLOB_ACTIVATE structure from Bl -> blob 

644 c. Compare HI to Al -> idDigest on mismatch return TPMJ8AD_PARAMETER 

645 d. If Al -> pcrSelection is not NULL 

646 i. Compute a composite hash CI using the PCR selection Al -> pcrSelection 

647 ii. Compare CI to Al -> pcrInfo>digestAtRelease and return TPM_WRONGPCRVAL 

648 on a mismatch 

649 iii. If Al -> pcrlnfo specifies a locality ensure that the appropriate locality has been 

650 asserted, return TPM_BAD_LOCALITY on error 

651 e. Set Kl to Al -> symmetricKey 

652 9. Return Kl 
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653 16. Integrity Collection and Reporting 




657 1 . The TPM SHALL only allow the following commands to alter the value of 

658 TPM_STCLEAR_DATA -> PCR 

659 a. TPM_Extend 

660 b. TPM_SHAlCompleteExtend 

661 c. TPM_Startup 

662 d. TPM_PCR_Reset 
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663 
664 
665 
666 



16.1 TPM Extend 



Start of informative comment: 

This adds a new measurement to a PCR 



- ■ ■• 



End of informative comment. 



667 Incoming Operands and Sizes 



PARAM 


HMAC i 


Type j 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_Extend. 


4 


4 


2S 


4 


TPM„PCRINDEX 


pcnNum 


The PCR to be updated. 


5 


20 


3S 


20 


TPM.DIGEST 


inDigest 


The 160 bit value representing the event to be recorded. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize . 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_Extend. 


4 


20 


3S 


20 


TPM_PCRVALUE 


outDigest 


The PCR value after execution of the command. 



668 



669 
670 

671 

672 

673 

674 
675 

676 
677 

678 

679 

680 
681 

682 



Descriptions 

Add a measurement value to a PCR 
Actions 

1. Map LI to TPM_STANY_FLAGS -> locality Modifier 

2. Map PI to TPM_PERMANENT_DATA -> pcrAttrib [pcrNum]. pcrExtendLocal 

3. If, for the value of LI, the corresponding bit is not set in the bit map PI, return 
TPM_BAD_LOCALITY 

4. Create cl by concatenating (TPM_STCLEAR_DATA -> PCR[pcrNum] | | inDigest). This 
takes the current PCR value and concatenates the inDigest parameter. 

5. Create hi by performing a SHA1 digest of cl. 

6. Store hi to TPM_STCLEAR_DATA -> PCR[pcrNum] 

7. If TPM_PERMANENT_FLAGS -> disable is TRUE or TPM_STCLEAR_FLAGS -> deactivated 
is TRUE 

a. Set outDigest to 20 bytes of 0x00 
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683 8. Else 

684 a. Set outDigest to hi 
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685 16.2 TPM PCRRead 



687 
688 

689 



686 Start of informative comment: 



■ : - 



The TPM PGRRead operation provides nonK:iyptographic reporting of the contents of a, 
named PGR. • .: -.^^ ■ - 



End of informative comment. 



690 Incoming Operands and Sizes 



PARAM 


HMAC J 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.COMMANDCODE 


ordinal 


Command ordinal: TPM_ORD_PCRRead 


4 


4 


2S 


4 


TPM.PCRINDEX 


pcrlndex 


Index of the PCR to be read 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes Including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_PCRRead 


4 


20 


3S 


20 


TPM_PCRVALUE 


outDigest 


The current contents of the named PCR 



691 



692 

693 
694 

695 
696 
697 
698 



Description 

The TPM_PCRRead operation returns the current contents of the named register to the 
caller. 

Actions 

1. Set outDigest to TPM_STCLEAR_DATA -> PCR[pcrIndex] 

2. Return TPM SUCCESS 
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699 

700 

701 
702 
703 
704 

705 
706 
707 
708 

709 
710 



16.3 TPM Quote 



Start of informative comment: 

The TPM_Quote operation provides cryptographic reporting of PCR values. A loaded key is 
required for operation. TPM_Quote uses a key to sign a statement that names the current 
value of a chosen PGR and externally supplied data (which may be a nonce supplied by a 
Challenger). 

The term "ExternalData" is used because an important use of TPM_Quote is to provide a 
digital signature on arbitrary data, where the signature includes the PGR values of the j 
{platform at time of signing. Hence the "ExternalData" is not just for anti-replay purposes, ! 
(although it is (of course) used for that purpose in an integrity challenge. J 

[End of informative comment. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_Quote. 


4 


4 






TPM_KE Y_H AN DLE 


keyHandle 


The keyHandle identifier of a loaded key that can sign the PCR values. 


5 


20 


2S 


20 


TPM_N0NCE 


extemalData 


160 bits of externally supplied data (typically a nonce provided by a 
server to prevent replay -attacks) 


6 


o 


3S 


o 


TPM_PCR_SELECTI0N 


targetPCR 


The indices of the PCRs that are to be reported. 


7 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for keyHandle authorization. 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPM.N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


j 1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


10 


20 






TPM.AUTHDATA 


privAuth 


The authorization session digest for inputs and keyHandle. HMAC key: 
key -> usageAuth. 
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711 Outgoing Operands and Sizes 



PARAM 


! HMAC 


Type 


Name 


uescription 


# 


SZ 


I # 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 








4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_Quote. 


4 


o 


3S 


o 


TPM_PCR_C0MP0SITE 


pcrOata 


r\ oLiutiuic uuiiidininy ine bame inuicco db laiyeirOrx, pius uic 
corresponding current PCR values. ! 


5 


4 


4S 


4 


UINT32 


sigSize 


The used size of the output area for the signature 


6 


<> 


5S 


<> 


BYTE[] 


sig 


The signed data blob. 


7 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


9 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
Key -> usageAuth. 



712 Actions 

713 1 . The TPM MUST validate the AuthData to use the key pointed to by keyHandle. 

714 2. The keyHandle -> sigScheme MUST use SHA-1, return TPM^INAPPROPRIATE_SIG if it 

715 does not 

716 3. Validate that keyHandle -> keyUsage is TPM_KEY_SIGNING, TPM_KEY_IDENTITY, or 

717 TPM_KEY_LEGACY, if not return TPM_INVALID_KEYUSAGE 

718 4. Validate targetPCR 

7 19 a. targetPCR is a valid TPM_PCR_SELECTION structure 

720 b. On errors return TPM_INVALID_PCR_INFO 

721 5. Create HI a SHA-1 hash of a TPM_PCR_COMPOSITE using the TPM_STCLEAR_DATA -> 

722 PCR indicated by targetPCR -> pcrSelect 

723 6. Create Ql a TPM_QUOTE_INFO structure 

724 a. Set Ql -> version to 1.1.0.0 

725 b. Set Ql -> fixed to "QUOT" 

726 c. Set Ql -> digestValue to HI 

727 d. Set Ql -> externalData to externalData 

728 7. Sign SHA-1 hash of Ql using keyHandle as the signature key 

729 8. Return the signature in sig 
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730 

731 

732 
733 
734 

735 
736 
737 

738 
739 
740 

741 

742 

743 

744 

745 

746 

747 

748 

749 

750 

751 

752 

753 

754 
755 
756 
757 

758 
759 



16.4 TPM PCR Reset 



Start of informative comment: j 

For PCR with the pcrReset attribute set to TRUE, this command resets the PGR back to the 
default value, this mimics the actions of TPM Init. The PCR may have restrictions as to 
which locality can perform the reset operation. 

Sending a null pcrSelection results in an error is due to the requirement that the command 
actually do something. If pcrSelection is null there are no PCR to reset and the command 
would then do nothing. 

For PCR that are resettable, the presence of a Truste d Operating System (TOS) can change 
[the behavior of TPM PGR Reset. The following pseudo code shows how the behavior 
[changes 

! At TPM_Startup ! ' 

If TPM JPCR_ATTRIBUTES - >pcrReset is FALSE 
Set PCR to 0x00. . .00 

Else/ 

!@ Set PCR to 0xFF...FF 
At TPM_PCR_Reset 

If TPM_PCR_ATTRIBUTES - > pcrRe set is TRUE 

If TOSPresent .. ! ; ' , 

Set PCR to 0x00... 00 
Else ' '■'}) . W0 ::[ f;''f : ^^P^ yp<;p. v • ■ mmM 

Set PCR to OxFF. . .FF • ■ 

Else ' ' Y v: ' h -^'V^:V : ;;; 'v'S^ 

Return error 

The above pseudocode is for example only, for the details of a specific platform, the reader 
must review the platform specific specification. The purpose of the above pseudocode is to j 
show that both pcrReset and the TOSPresent bit control the value in use to when the PCRj 
resets. mWm^H ■ ' ?M ^rv^-'^V^vi:-^'.^- ^ - : %^ -\JSMm \ 



End of informative comment. 



J 



Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_C0MMAND 


2 


I 4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_PCR_Reset 


4 


<> 


2S 


<> 


TPM_PCR_SELECTI0N 


pcrSelection 


The PCR's to reset 



Level 2 Revision 94 29 March 2006 Draft 



159 

TCG Published 



Copyright © TCG 



TPM Main Part 3 Commands 
Specification Version 1 .2 



760 Outgoing Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_0RD_PCR_Reset 



761 Descriptions 

762 This command resets PCR values back to the default value. The command MUST validate 

763 that all PCR registers that are selected are available to be reset before resetting any PCR. 

764 This command MUST either reset all selected PCR registers or none of the PCR registers. 

765 Actions 

766 1 . Validate that pcrSelection is valid 

767 a. is a valid TPM_PCR_SELECTION structure 

768 b. pcrSelection -> per Select is non-zero 

769 c. On errors return TPM_INVALID_PCR_INFO 

770 2. Map LI to TPM_STANY_FLAGS -> localityModifier 

771 3. For each PCR selected perform the following 

772 a. If TPM_PERMANENTJDATA -> pcrAttrib[pcrIndex].pcrReset is FALSE, return 

773 TPM_NOTRESETABLE 

774 b. If, for the value LI, the corresponding bit is clear in the bit map 

775 TPM_PERMANENT_DATA -> pcrAttrib[pcrIndex].pcrResetLocal, return TPMJMOTLOCAL 

776 4. For each PCR selected perform the following 

777 a. The PCR MAY only reset to 0x00. . .00 or OxFF. . .FF 

778 b. The logic to determine which value to use MUST be described by a platform specific 

779 specification 
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780 

781 

782 
783 
784 
785 

786 
787 
788 
789 

790 
791 
792 
793 

794 
795 



16.5 TPM Quote2 



Start of informative comment: 

The TPM_Quote2 operation provides cryptographic reporting of PCR values. A loaded key is 
required for operation. TPM_Quote2 uses a key to sign a statement that names the current 
value of a chosen PCR and externally supplied data (which may be a nonce supplied by a 
Challenger). 

The term "externalData" is used because an important use of TPM_Quote2 is to provide a 
digital signature on arbitrary data, where the signature includes the PCR values of the 
platform at time of signing. Hence the "externalData" is not just for anti-replay purposes, 
although it is (of course) used for that purpose in an integrity challenge. 

TPM_Quote2 differs from TPM_Quote in that TPM_Quote2 uses TPM_PCR_INFO_SHORT to 
hold information relative to the PCR egisters. TPM_PCR_INFO_SHORT includes locality 
information to provide the requestor a more complete view of the current platform 
configuration. 

End of informative comment. ^ : - : ;„„. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 ! 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal TPM_ORD_Quote2 


4 


4 






TPM_KEY_HANDLE 


keyHandle 


The keyHandle identifier of a loaded key that can sign the PCR values. 


5 


20 


2S 


20 


TPM.NONCE 


externalData 


160 bits of externally supplied data (typically a nonce provided by a 
server to prevent replay -attacks) 


6 


<> 


3S 


<> 


TPM_PCR_SELECTION 


targetPCR 


The indices of the PCRs that are to be reported. 


7 


1 


4S 


1 


BOOL 


addVersion 


When TRUE add TPM__CAP_VERSIONJNFO to the output 


8 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for keyHandle authorization. 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TFM to cover inputs 


9 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


11 


20 






TPM.AUTHDATA 


privAuth 


The authorization session digest for inputs and keyHandle. HMAC key: 
key -> usageAuth. 
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796 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 | 


2 






TPM.TAG 


tag 


TPM_TAGJ*SP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize | 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_Quote2 


4 


o 


3S 


<> 


TPM_PCR_INFO_SHORT 


pcrData 


The value created and signed for the quote 


i 5 


4 


4S 


4 


UINT32 


versionlnfoSize 


Size of the version info 


6 


<> 


5S 


o 


TPM_CAP_VERSIONJNFO 


versionlnfo 


The version info 


7 


4 


6S 


4 


UINT32 


sigSize 


The used size of the output area for the signature 


8 


o 


7S 


<> 


BYTE[] 


sig 


The signed data blob. 


9 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with auth Handle 


10 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


11 


20 






TPMJUJTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
Key -> usageAuth. 



797 Actions 

798 1. The TPM MUST validate the AuthData to use the key pointed to by keyHandle. 

799 2. The keyHandle -> sigScheme MUST use SHA-1, return TPM_INAPPROPRIATE_SIG if it 

300 does not 

301 3. Validate targetPCR is a valid TPM_PCR_SELECTION structure, on errors return 

302 TPMJNVALID_PCR_INFO 

303 4. Create HI a SHA-1 hash of a TPM_PCR_COMPOSITE using the TPM_STCLEAR_DATA -> 

304 PCR[] indicated by targetPCR -> pcrSelect 

305 5. Create SI a TPM„PCR_INFO„SHORT 

306 a. Set SI ->pcrSelection to targetPCR 

307 b. Set Sl->localityAtRelease to TPM_STANY_DATA -> localityModifier 

308 c. Set Sl->digestAtRelease to HI 

309 6. Create Ql a TPM_QUOTE_INF02 structure 

310 a. Set Ql -> fixed to "QUT2" 

311 b. Set Ql -> infoShort to SI 

312 c. Set Ql -> externalData to externalData 

313 7. If addVersion is TRUE 

314 a. Concatenate to Ql a TPM_CAP_VERSION_INFO structure 

315 b. Set the output parameters for versionlnfo 
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316 8. Else 

317 a. Set versionlnfoSize to 0 

318 b. Return no bytes in versionlnfo 

319 9. Sign a SHA-1 hash of Ql using keyHandle as the signature key 

320 10. Return the signature in sig 
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S2i 17. Changing AuthData 
17.1 TPM_ChangeAuth 



822 

S23 

324 
325 

326 
327 
328 
829 

330 
331 

832 



Start of informative comment: 

The TPM_ChangeAuth command allows the owner of an entity to change the AuthData for 
the entity. • | 

lTPM_ChangeAuth requires the encryption of one parameter ("NewAuth"). For the sake of 
uniformity with other commands that require the encryption of more than one parameter, \ 
the parameters used for used encryption are generated from the authLastNonceEven 
(created during the OSAP session), nonceOdd, and the session shared secret. > 

.The parameter list to this command must always include two authorization sessions 

regardless of the state of authDataUsage for the respective keys. 

):-^';V:--: > ■ 1 ■ ' ^ • - - : • ^r'\ 

!Bnd of informative comment. 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH2_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM .COMMAND.CODE 


ordinal 


Command ordinal: TPM.ORD.ChangeAuth 


4 


4 






TPM _KEY_HANDLE 


parentHandle 


Handle of the parent key to the entity. 


5 


2 


2S 


2 


TPM.PROTOCOLJD 


protocollD 


The protocol in use. 


6 


20 


3S 


20 


TPM.ENCAUTH 


newAuth 


The encrypted new AuthData for the entity. The encryption key is the 
shared secret from the OSAP protocol. 


7 


2 


4S 


2 


TPM _ENTITY_TYPE 


entityType 


The type of entity to be modified 


8 


4 


5S 


4 


UINT32 


encDataSize 


The size of the encData parameter 


9 


<> 


6S 


<> 


BYTE[] 


encData 


The encrypted entity that is to be modified. 


10 


4 






TPM.AUTHHANDLE 


parentAuthHandle 


The authorization session handle used for the parent key. 






2H1 


20 


TPM .NONCE 


authLastNonceEven 


Even none e previously generated by TPM to cover inputs 


11 


20 


3H1 


20 


TPM .NONCE 


nonceOdd 


Nonce generated by system associated with parentAuthHandle 


12 


1 


4H1 


1 


BOOL 


continueAuthSession 


Ignored, parentAuthHandle is always terminated. 


13 


20 






TPM .AUTHDATA 


parentAuth 


The authorization session digest for inputs and parentHandle. HMAC 
key: parentKey.usageAuth. 


14 


4 






TPM .AUTHHANDLE 


entityAuthHandle 


The authorization session handle used for the encrypted entity. The 
session type MUST be OIAP 






2H2 


20 


TPM .NONCE 


entitylastNonceEven 


Even nonce previously generated by TPM 


15 


20 


3H2 


20 


TPM .NONCE 


entitynonceOdd 


Nonce generated by system associated with entityAuthHandle 


16 


1 


4H2 


1 


BOOL 


continueEntitySession 


Ignored, entityAuthHandle is always terminated. 


17 


20 






TPM .AUTHDATA 


entityAuth 


The authorization session digest for the inputs and encrypted entity. 
HMAC key: entity.usageAuth. 
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333 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM.TAG.RSP.AUTH2.COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM ^RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2S 


4 


TPM _C0MMAND_C0DE 


ordinal 


Command ordinal TPM_ORD_ChangeAuth j 


4 


4 


3S 


4 


UINT32 


outDataSize 


The used size of the output area for outData 


5 


o 


4S 


o 


BYTE[] 


outData 


The modified, encrypted entity. 


6 


20 


2 H1 


20 


TPM .NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM NONPF 


I IUI IKJvJUU 


Nnnnp npnprated hv sv<?tpm a^sociatpd with DarentAuthHandle 

MVJIIVsw MvllClalCU \Jj Oj OICI 1 1 OOOUVnulCU Willi paid ll/^Ull II IdllVlw 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed value of FALSE 


8 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters and 
parentHandle. HMAC key: parentKey.usageAuth. 


9 


20 


2H2 


20 


TPM .NONCE 


entityNonceEven 


Even nonce newly generated by TPM to cover entity 






3H2 


20 


TPM_N0NCE 


entitynonceOdd 


Nonce generated by system associated with entityAuthHandle 


10 


1 


4H2 


1 


BOOL 


continueEnlity Session 


Continue use flag, fixed value of FALSE 


11 


20 






TPM _AUTH DATA 


entityAuth 


The authorization session digest for the returned parameters and entity. 
HMAC key: entity. usageAuth, the original and not the new auth value 



834 

835 

336 
337 



Description 

1. The parentAuthHandle session type MUST be TPMJPID_OSAP. 

2. In this capability, the SRK cannot be accessed as entityType TPM_ET_KEY, since the 
SRK is not wrapped by a parent key. 



338 Actions 

339 1. Verify that entityType is one of TPM_ET_DATA, TPM_ET_KEY and return the error 

340 TPM_WRONG„ENTITYTYPE if not. 

341 2. Verify that parentAuthHandle session type is TPM_PID_OSAP return TPMJBAD_MODE 
842 on error 

343 3. Verify that entityAuthHandle session type is TPM_PID_OIAP return TPM_BAD_MODE on 

344 error 

345 4. The encData parameter MUST be the encData field from either the TPM_STORED_DATA 

346 or TPM_KEY structures. 

347 5. If parentAuthHandle indicates XOR encryption for the AuthData secrets 

848 a. Create XI the SHA-1 of the concatenation of (parentAuthHandle -> sharedSecret | | 

349 authLastNonceEven) 

850 b. Create deciyptAuth by XOR XI and newAuth 

351 6. Else 
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352 a. Create newAuth by decrypting newAuth using the algorithm indicated in the OSAP 

353 session 

354 b. Key is from parentAuthHandle -> sharedSecret 

355 c. IVisSHA-1 of (authLastNonceEven | | nonceOdd) 

356 7. The TPM MUST validate the command using the AuthData in the parentAuth parameter 

357 8. After parameter validation the TPM creates bl by decrypting encData using the key 

858 pointed to by parentHandle. 

859 9. The TPM MUST validate that bl is a valid TPM structure, either a 

860 TPM_STORE_ASYMKEY or a TPM_SEALED_DATA 

361 a. Check the tag, length and authValue for match, return TPM_INVALID_STRUCTURE 

362 on any mismatch 

363 10. The TPM replaces the AuthData for bl with decryptAuth created above. 

364 11. The TPM encrypts bl using the appropriate mechanism for the type using the 

365 parentKeyHandle to provide the key information. 

366 12. The TPM MUST enforce the destruction of both the parentAuthHandle and 

367 entityAuthHandle sessions. 
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S68 

369 

370 
371 

372 

373 



17.2 TPM_ChangeAuthOwner 



Start of informative comment: 

•• . ■ - 

1|]h9H^M command allows the owner of an entity to change the 

AuthData for the TPM Owner or the SRK. 

This command requires authorization from the current TPM Owner to execute. 
End of informative comment. 

L. - - - ... -,-,;U,,...:U, ,-. :-„_-,-. t. _'.....,„„.:....„ - : :, L _.;.^,„„ v ,,._„.. ..... , i.-.U™.,™^ * .„„....„^^,,^^_^.;„>.„^.; ,„.™^-^_,^__^™-._^i,;_.-.:.„^-,„™-_. 



374 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1 _C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ChangeAuthOwner 


4 


2 


2S 


2 


TPM_PROTOCOL_ID 


protocolID 


The protocol in use. 


5 


20 


3S 


20 


TPM_ENCAUTH 


newAuth 


The encrypted new AuthData for the entity. The encryption key is the 
shared secret from the OSAP protocol. 


6 


2 


4S 


2 


TPM.ENTITYJYPE 


entityType 


The type of entity to be modified 


7 


4 






TPM_AUTHHANDLE 


ownerAuthHandle 


The authorization session handle used for the TPM Owner. 






2H1 


20 


TPMJslONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with ownerAuthHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag the TPM ignores this value 


10 


20 






TPM.AUTHDATA 


ownerAuth 


The authorization session digest for inputs and ownerHandie. HMAC key: 
ownerAuth. 



375 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD„ChangeAuthOwner 


4 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with ownerAuthHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed value of FALSE 


6 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters and 
ownerHandie. HMAC key: ownerAuth, the original value and not the new 
auth value 
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B76 Actions 

377 1 . The TPM MUST validate the command using the AuthData in the ownerAuth parameter 

378 2. The ownerAuthHandle session type MUST be TPMJPIDJDSAP 

379 3. Verify that entityType is either TPM_ET_OWNER or TPM_ET_SRK, and return the error 

380 TPM_WRONGJENTITYTYPE if not. 

381 4. If ownerAuthHandle indicates XOR encryption for the AuthData secrets 

382 a. Create XI the SHA-1 of the concatenation of (ownerAuthHandle -> sharedSecret | | 

383 authLastNonceEven) 

384 b. Create decryptAuth by XOR XI and newAuth 

385 5. Else 

386 a. Create newAuth by decrypting newAuth using the algorithm indicated in the OSAP 

387 session 

388 b. Key is the previous ownerAuth 

389 c. IV is SHA-1 of (authLastNonceEven | | nonceOdd) 

390 6. The TPM MUST enforce the destruction of the ownerAuthHandle session upon 

391 completion of this command (successful or unsuccessful). This includes setting 

392 continueAuthSession to FALSE 

393 7. Set the AuthData for the indicated entity to decryptAuth 

394 8. Invalidate all sessions, active or saved 
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395 18. Authorization Sessions 

396 18.1 TPM_OIAP 

397 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize j 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_OIAP. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM__RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_OIAP. 


4 


4 






TPM_AUTHHANDLE 


authHandle 


Handle that TPM creates that points to the authorization state. 


5 


20 






TPM.NONCE 


nonceEven 


Nonce generated by TPM and associated with session. 



399 Actions 

900 1 . The TPM_OIAP command allows the creation of an authorization session handle and the 

901 tracking of the handle by the TPM. The TPM generates the handle and nonce. 

902 2. The TPM has an internal limit as to the number of handles that may be open at one 

903 time, so the request for a new handle may fail if there is insufficient space available. 

904 3. Internally the TPM will do the following: 

905 a. TPM allocates space to save handle, protocol identification, both nonces and any 

906 other information the TPM needs to manage the session. 

907 b. TPM generates authHandle and nonceEven, returns these to caller 

908 4. On each subsequent use of the OIAP session the TPM MUST generate a new nonceEven 

909 value. 

910 5. When TPMJDIAP is wrapped in an encrypted transport session, no input or output 

911 parameters are encrypted. 

912 18.1.1 Actions to validate an OIAP session 
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919 Actions 

920 The TPM MUST perform the following operations: 

92 1 1 . The TPM MUST verify that the authorization session handle (H, say) referenced in the 

922 command points to a valid session. If it does not, the TPM returns the error code 

923 TPMJNVALID_AUTHHANDLE 

924 2. The TPM SHALL retrieve the latest version of the caller's nonce (nonceOdd) and 

925 continueAuthSession flag from the input parameter list, and store it in internal TPM 

926 memory with the authSession *H\ 

927 3. The TPM SHALL retrieve the latest version of the TPM's nonce stored with the 

928 authorization session H (authLastNonceEven) computed during the previously executed 

929 command. 

930 4. The TPM MUST retrieve the secret AuthData (SecretE, say) of the target entity. The 

931 entity and its secret must have been previously loaded into the TPM. 

932 a. If the command using the OIAP session requires owner authorization 

933 i. If TPM_STCLEAR_DATA -> ownerReference is TPM_KH_OWNER, the secret 

934 AuthData is TPM_PERMANENT_DATA -> ownerAuth 

935 ii. If TPM_STCLEARJDATA -> ownerReference is pointing to a delegate row 

936 (1) Set Rl a row index to TPM_STCLEARJDATA -> ownerReference 

937 (2) Set Dl a TPM_DELEGATE_TABLE_ROW to TPM_PERMANENT_DATA -> 

938 delegateTable -> delRow[Rl] 

939 (3) Set the secret AuthData to Dl -> authValue 

940 (4) Validate the TPM_DELEGATE_PUBLIC Dl -> pub based on the command 

941 ordinal 

942 5. The TPM SHALL perform a HMAC calculation using the entity secret data, ordinal, input 

943 command parameters and authorization parameters per Part 1 Object- Independent 

944 Authorization Protocol. 

945 6. The TPM SHALL compare HM to the AuthData value received in the input parameters. If 

946 they are different, the TPM returns the error code TPM_AUTHFAIL if the authorization 

947 session is the first session of a command, or TPM_AUTH2 FAIL if the authorization 

948 session is the second session of a command. Otherwise, the TPM executes the command 

949 which (for this example) produces an output that requires authentication. 

950 7. The TPM SHALL generate a nonce (nonceEven). 

951 8. The TPM creates an HMAC digest to authenticate the return code, return values and 

952 authorization parameters to the same entity secret per Part 1 Object-Independent 

953 Authorization Protocol. 

954 9. The TPM returns the return code, output parameters, authorization parameters and 

955 authorization session digest. 
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956 10. If the output continueUse flag is FALSE, then the TPM SHALL terminate the session. 

957 Future references to H will return an error. 
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958 

959 

960 
961 

962 
963 



18.2 TPM OSAP 



Start of informative Comment: 



The TPM OSAP command creates the authorization session handle, the shared secret and 
generates nonceEyen and nonceEvenOSAP. 



End df informative comment . 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


' # 


SZ 


# 


SZ 


1 j 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM _ORD_OSAP. 


4 


2 






TPM_ENTITY_TYPE 


entityType 


The type of entity in use 


5 


4 






UINT32 


entityValue 


The selection value based on entityType, e.g. a keyHandle # 


6 


20 






TPM_N0NCE 


nonceOddOSAP 


The nonce generated by the caller associated with the shared secret. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_T AG_RSP_COMM AN D 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPMJDRD JDSAP. 


4 


4 






TPM_AUTHHANDLE 


authHandle 


Handle that TPM creates that points to the authorization state. 


5 


20 






TPM_N0NCE 


nonceEven 


Nonce generated by TPM and associated with session. 


6 


20 






TPM_N0NCE 


nonceEvenOSAP 


Nonce generated by TPM and associated with shared secret. 



964 



965 

966 
967 
968 

969 
970 

971 
972 
973 

974 
975 

976 
977 



Description 

1 . The TPM_OSAP command allows the creation of an authorization session handle and the 
tracking of the handle by the TPM. The TPM generates the handle, nonceEven and 
nonceEvenOSAP. 

2. The TPM has an internal limit on the number of handles that may be open at one time, 
so the request for a new handle may fail if there is insufficient space available. 

3. The TPM_OSAP allows the binding of an authorization to a specific entity. This allows 
the caller to continue to send in AuthData for each command but not have to request 
the information or cache the actual AuthData. 

4. When TPM_OSAP is wrapped in an encrypted transport session, no input or output 
parameters are encrypted. 

5. If the owner pointer is pointing to a delegate row, the TPM internally MUST treat the 
OSAP session as a DSAP session 
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978 6. TPM_ET_SRK or TPM_ET_KEYHANDLE with a value of TPM_KH_SRK MUST specify the 

979 SRK. 

980 Actions 

981 1. The TPM creates SI a storage area that keeps track of the information associated with 

982 the authorization. 

983 2. SI MUST track the following information 

984 a. Protocol identification (i.e. TPM_PID_OSAP) 

985 b. nonceEven 

986 i. Initialized to the next value from the TPM RNG 

987 c. shared secret 

988 d. ADIP encryption scheme from TPM_ENTITY_TYPE entityType 

989 e. Any other internal TPM state the TPM needs to manage the session 

990 3. The TPM MUST create and MAY track the following information 

991 a. nonceEvenOSAP 

992 i. Initialized to the next value from the TPM RNG 

993 4. The TPM calculates the shared secret using an HMAC calculation. The key for the HMAC 

994 calculation is the secret AuthData assigned to the key handle identified by entityValue. 

995 The input to the HMAC calculation is the concatenation of nonces nonceEvenOSAP and 

996 nonceOddOSAP. The output of the HMAC calculation is the shared secret which is saved 

997 in the authorization area associated with authHandle 

998 5. Check if the ADIP encryption scheme specified by entityType is supported, if not return 

999 TPM_INAPPROPRIATE_ENC. 

000 6. If entityType = TPM_ET_KEYHANDLE 

001 a. The entity to authorize is a key held in the TPM. entityValue contains the keyHandle 

002 that holds the key. 

003 b. If entityValue is TPM_KH_OPERATOR return TPM_BAD_HANDLE 

004 7. else if entityType = TPM JET_OWNER 

005 a. This value indicates that the entity is the TPM owner. entityValue is ignored 

006 b. The HMAC key is the secret pointed to by ownerReference (owner secret or delegated 

007 secret) 

008 8. else if entityType = TPMJET_SRK 

009 a. The entity to authorize is the SRK. entityValue is ignored. 

010 9 . else if entityType = TPM_ET_COUNTER 

011 a. The entity is a monotonic counter, entityValue contains the counter handle 

012 10. else if entityType = TPM__ET_NV 

013 a. The entity is a NV index, entityValue contains the NV index 

014 11. else return TPM__BAD_PARAMETER 
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015 12. On each subsequent use of the OSAP session the TPM MUST generate a new nonce 

016 value. 

017 13. The TPM MUST ensure that OSAP shared secret is only available while the OSAP session 

018 is valid. 

019 14. The session MUST terminate upon any of the following conditions: 

020 a. The command that uses the session returns an error 

02 1 b. The resource is evicted from the TPM or otherwise invalidated 

022 c. The session is used in any command for which the shared secret is used to encrypt 

023 an input parameter (TPM_ENCAUTH) 

024 d. The TPM Owner is cleared 

025 e. TPM_ChangeAuthOwner is executed and this session is attached to the owner 

026 authorization 

027 f. The session explicitly terminated with continueAuth, TPM_Reset or 

028 TPM_FlushSpecific 

029 g. All OSAP sessions MUST be invalidated when any of the following commands 

030 execute: 

031 i . TPM_Delegate_Manage 

032 ii. TPM_Delegate_CreateOwnerDelegation with Increment==TRUE 

033 iii. TPM_Delegate_Jx>adOwnerDelegation 

034 18.2.1 Actions to validate an OSAP session 

035 



036 



Start of Informative comment: 



This section describes the authorization-related actions of a TPM when it receives a 

037 command that has been authorized with the OSAP protocol. 

038 [Many commands use OSAP authorization. The foUowing description is therefore necessarily 

039 jabstract. : \ jv... , ^^^W^^'. - . 

040 !End of informative comment 111 iMl 



041 Actions 

042 1. On reception of a command with ordinal CI that uses an authorization session, the TPM 

043 SHALL perform the following actions: 

044 2. The TPM MUST have been able to retrieve the shared secret (Shared, say) of the target 

045 entity when the authorization session was established with TPM_OSAP. The entity and 

046 its secret must have been previously loaded into the TPM. 

047 3. The TPM MUST verify that the authorization session handle (H, say) referenced in the 

048 command points to a valid session. If it does not, the TPM returns the error code 

049 TPM_INVALID_AUTHHANDLE. 

050 4. The TPM MUST calculate the HMAC (HM1, say) of the command parameters according 

051 to Part 1 Object-Specific Authorization Protocol. 
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052 5. The TPM SHALL compare HM1 to the AuthData value received in the command. If they 

053 are different, the TPM returns the error code TPM_AUTHFAIL if the authorization session 

054 is the first session of a command, or TPM__AUTH2FAIL if the authorization session is the 

055 second session of a command., the TPM executes command CI which produces an 

056 output (O, say) that requires authentication and uses a particular return code (RC, say). 

057 6. The TPM SHALL generate the latest version of the even nonce (nonceEven). 

058 7. The TPM MUST calculate the HMAC (HM2) of the return parameters according to section 

059 Part 1 Object- Specific Authorization Protocol. 

060 8. The TPM returns HM2 in the parameter list. 

061 9. The TPM SHALL retrieve the continue flag from the received command. If the flag is 

062 FALSE, the TPM SHALL terminate the session and cfestroy the thread associated with 

063 handle H. 

064 10. If the shared secret was used to provide confidentiality for data in the received 

065 command, the TPM SHALL terminate the session and destroy the thread associated with 

066 handle H. 

067 11. Each time that access to an entity Jcey) is authorized using OSAP, the TPM MUST 

068 ensure that the OSAP shared secret is that derived from the entity using TPM_OSAP 
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069 

070 

071 
072 
073 
074 

075 
076 

077 
078 



18.3 TPM DSAP 



Start of informative comment 



The TPM_DSAP command creates the authorization session handle using a delegated 
AuthData value passed into the command as an encrypted blob or from the internal 
delegation table. It can be used to start an authorization session for a user key or the 



owner 



Identically to TPM_OSAP, it generates a shared secret and generates nonceEven and 
nonceEvenOSAP. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_DSAP. 


4 


2 






TPM_ENTITY_TYPE 


entityType 


The type of delegation information to use 


5 


4 






TPM_KEY_HANDLE 


keyHandle 


Key for which delegated authority corresponds, or 0 if delegated owner activity. 
Only relevant if entityValue equals TPM_DELEGATE_KEY_BLOB 


6 


20 






TPMJMONCE 


nonceOddDSAP 


The nonce generated by the caller associated with the shared secret. 


7 


4 






UINT32 


entityValueSize 


The size of entityValue. 


8 


<> 


2S 


<> 


BYTE [] 


entityValue 


TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE_OWNER_BLOB or index 
MUST not be empty 

If entityType is TPM ET DEL ROW then entityValue is a 
TPM_DELEGATE_INDEX 


Ov 


itgoing < 


Ope 


rands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


sz 




1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


! 4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORDJ)SAP. 


4 


4 






TPM.AUTHHANDLE 


authHandle 


Handle that TPM creates that points to tie authorization state. 


5 


20 






TPM.NONCE 


nonceEven 


Nonce generated by TPM and associated with session. ! 


6 


20 






TPM_NONCE 


nonceEvenDSAP 


Nonce generated by TPM and associated with shared secret 



079 



080 

081 
082 
083 



Description 

1. The TPM_DSAP command allows the creation of an authorization session handle and the 
tracking of the handle by the TPM. The TPM generates the handle, nonceEven and 
nonceEvenOSAP. 
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084 2. The TPM has an internal limit on the number of handles that may be open at one time, 

085 so the request for a new handle may fail if there is insufficient space available. 

086 3. The TPM_DSAP allows the binding of a delegated authorization to a specific entity. This 

087 allows the caller to continue to send in AuthData for each command but not have to 

088 request the information or cache the actual AuthData. 

089 4. Each ordinal that uses the DSAP session MUST validate that TPM_PERMANENTJ)ATA - 

090 > restrictDelegate does not restrict delegation, based on keyHandle -> keyUsage and 

091 keyHandle -> keyFlags, return TPMJNVALIDJCEYUSAGE on error. 

092 5. On each subsequent use of the DSAP session the TPM MUST generate a new nonce 

093 value and check if the ordinal to be executed has delegation to execute. The TPM MUST 

094 ensure that the DSAP shared secret is only available while the DSAP session is valid. 

095 6. When TPM_DSAP is wrapped in an encrypted transport session 

096 a. For input the only parameter encrypted is entityValue 

097 b. For output no parameters are encrypted 

098 7. The DSAP session MUST terminate under any of the following conditions 

099 a. The command that uses the session returns an error 

100 b. If attached to a key, when the key is evicted from the TPM or otherwise invalidated 

101 c. The session is used in any command for which the shared secret is used to encrypt 

102 an input parameter (TPM_ENCAUTH) 

103 d. The TPM Owner is cleared 

104 e. TPM_ChangeAuthOwner is executed and this session is attached to the owner 

105 authorization 

106 f. The session explicitly terminated with continueAuth, TPM^Reset or 

107 ■ TPM_FlushSpecific 

108 g. All DSAP sessions MUST be invalidated when any of the following commands 

109 execute: 

110 i. TPMJDelegate_CreateOwnerDelegation 

111 ii. When Increment is TRUE 

112 iii. TPM_Delegate_LoadOwnerDelegation 

113 iv. TPM_Delegate_Manage 

114 entityType = TPM_ET_DEL_.OWNER_.BLOB 

115 The entityValue parameter contains an owner delegation blob structure. 

116 entityType = TPM_ET_DEL_ROW 

117 The entityValue parameter contains a row number in the nv Delegation table which 

118 should be used for the AuthData value. 

119 entityType - TPM_DEL_KEY_BLOB 

120 The entityValue parameter contains a key delegation blob structure. 

121 Actions 
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122 1. If entityType == TPM_ET_DEL_OWNER_BLOB 

123 a. Map entityValue to Bl a TPM_DELEGATE_OWNER_BLOB 

124 b. Validate that Bl is a valid TPM_DELEGATE_0 WNERJ3LOB , return 

125 TPM_WRONG_ENTITYTYPE on error 

126 c. Locate Bl -> pub -> familylD in the TPM_FAMILY_TABLE and set familyRow to 

127 indicate row, return TPMJ3ADINDEX if not found 

128 d. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow] 

129 e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD 

130 f. Verify that Bl->verificationCount equals FR -> verificationCount. 

131 g. Validate the integrity of the blob 

132 i. Copy Bl -> integrityDigest to H2 

133 ii. Set Bl -> integrityDigest to NULL 

134 iii. Create H3 the HMAC of Bl using tpmProof as the secret 

135 iv. Compare H2 to H3 return TPM_AUTHFAIL on mismatch 

136 h. Create SI a TPM_DELEGATE_SENSITIVE by decrypting Bl -> sensitiveArea using 

1 37 TPMJDELEGATE„KEY 

138 i. Validate SI values 

1 39 i. S 1 -> tag is TPM_TAG_DELEGATE_SENSITIVE 

140 ii. Return TPM_BAD_DELEGATE on error 

141 j. Set Al to SI -> authValue 

142 2. Else if entityType == TPM_ETJDEL_ROW 

143 a. Verify that entityValue points to a valid row in the delegation table. 

144 b. Set D 1 to the delegation information in the row. 

145 c. Set Al to Dl-> authValue. 

146 d. Locate Dl -> familylD in the TPM_FAMILY_TABLE and set familyRow to indicate that 

147 row, return TPM_BADINDEX if not found 

148 e. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow] 

149 f. If FR -> flags TPM__FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD 

150 g. Verify that Dl->verificationCount equals FR -> verificationCount. 

151 3 . Else if entityType = = TPM_ET_DEL_KEY_BLOB 

152 a. Map entityValue to Kl a TPM_DELEGATE_KEY_BLOB 

153 b. Validate that Kl is a valid TPM__DELEGATE_KEY_BLOB , return 

1 54 TPM_WRONG_ENTITYTYPE on error 

155 c. Locate Kl -> pub -> familylD in the TPMJFAMILYJTABLE and set familyRow to 

156 indicate that row, return TPM_BAD INDEX if not found 

157 d. Set FR to TPM_FAMILY_TABLE.famTableRow[familyRow] 
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158 e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD 

159 f. Verify that Kl -> pub -> verificationCount equals FR -> verificationCount. 

160 g. Validate the integrity of the blob 

161 i. Copy Kl -> integrityDigest to H2 

162 ii. Set Kl -> integrityDigest to NULL 

163 iii. Create H3 the HMAC of Kl using tpmProof as the secret 

164 iv. Compare H2 to H3 return TPM_AUTHFAIL on mismatch 

165 h. Validate that Kl -> pubKeyDigest identifies keyHandle, return TPM.KEYNOTFOUND 

1 66 on error 

167 i. Create SI a TPM_DELEGATE_SENSITIVE by decrypting Kl -> sensitiveArea using 

1 68 TPM_DELEGATE_KEY 

1 69 j . Validate S 1 values 

170 i. S 1 -> tag is TPM_TAG_DELEGATE_SEN STIVE 

171 ii. Return TPM_BAD_DELEGATE on error 

172 k. Set A 1 to SI -> authValue 

173 4. Else return TPM_BAD_PARAMETER 

174 5. Generate a new authorization session handle and reserve space to save protocol 

175 identification, shared secret, pcrlnfo, both nonces, ADIP encryption scheme, delegated 

176 permission bits and any other information the TPM needs to manage the session. 

177 6. Read two new values from the RNG to generate nonceEven and nonceEvenOSAP. 

178 7. The TPM calculates the shared secret using an HMAC calculation. The key for the HMAC 

179 calculation is Al. The input to the HMAC calculation is the concatenation of nonces 

180 nonceEvenOSAP and nonceOddOSAP. The output of the HMAC calculation is the shared 

181 secret which is saved in the authorization area associated with authHandle. 
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182 

183 

184 
185 

186 
187 
188 
189 
190 

191 
192 
193 

194 
195 
196 

197 
198 



18.4 TPM SetOwnerPointer 



Start of informative comment: 

This command will set a reference to which secret the TPM will use when executing an 
owner secret related OIAP or OSAP session. 

This command should only be used to provide an owner delegation function for legacy code 
that does not itself support delegation. Normally, TPM_STCLEAR_DATA->ownerReference 
points to TPM_KH_OWNER, indicating that OIAP and OSAP sessions should use the owner 
authorization. This command allows ownerReference to point to an index in the delegation 
table, indicating that OIAP and OSAP sessions should use the; delegation authorization. 

In use, a TSS supporting delegation would create and load the owner delegation and set the 
owner pointer to that delegation. From then on, a legacy TSS application would use its OIAP 
and OSAP sessions with the delegated owner authorization. 

Since this command is not authorized, the ownerReference is open to DoS attacks. 
Applications can attempt to recover from a failing owner authorization by resetting 
ownerReference to an appropriate value. 



End of informative comment* 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQIL COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Ordinal: TPM_ORD_SetOwnerPointer 


4 


2 


2S 


2 


TPM„ENTITY_TYPE 


entityType 


The type of entity in use 


5 


4 


3S 


4 


UINT32 


entityValue 


The selection value based on entityType 


Ou 


tgoing C 


>perands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


sz 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Ordinal: TPM_ORD_SetOwnerPointer 



199 



200 

201 

202 

203 
204 



Actions 

1 . Map TPM_STCLEAR_DATA to V 1 

2. If entityType = TPM_ET_DEL_ROW 

a. This value indicates that the entity is a delegate row. entityValue is a delegate index 
in the delegation table. 
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205 b. Validate that entityValue points to a legal row within the delegate table stored within 

206 the TPM. If not return TPM_BADINDEX 

207 i. Set Dl to the delegation information in the row. 

208 c. Locate Dl -> familylD in the TPM_FAMILY_TABLE and set familyRow to indicate that 

209 row, return TPM_BADINDEX if not found. 

2 10 d. Set FR to TPM„FAMILY_TABLE.famTableRow[familyRow] 

211 e. If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPMJDISABLED.CMD 

212 f. Verify that Bl->verificationCount equals FR -> verificationCount. 

213 g. The TPM sets Vl-> ownerReference to entityValue 

214 h. Return TPM_SUCCESS 

215 3. else if entityType = TPM_ET_OWNER 

216 a. This value indicates that the entity is the TPM owner. entityValue is ignored. 

217 b. The TPM sets VI- > ownerReference to TPM_KH_OWNER 

218 c. Return TPM_SUCCESS 

219 4. Return TPM_BAD_PARAMETER 
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220 19. 



Delegation Commands 



221 19.1 TPM_Delegate JVIanage 



222 

223 
224 
225 
226 

227 
228 
229 
230 
231 
232 
233 
234 

235 

236 
237 

238 
239 
240 
241 

242 
243 

244 

245 



Start of informative comment: 

TPM_Delegate_Manage is the fundamental process for managing the Family tables, 
including enabling/ disabling Delegation for a selected Family. Normally! 
|TPM_Delegate_Manage must be executed at least once (to create Family tables for a| 
| particular family) before any other type of Delegation command in that family can succeed, j 

TPM_Delegate_Manage is authorized by the TPM Owner if an Qvner is installed, because 
[changing a table is a privileged Owner operation. If no Owner is installed, 
;TPM_Delegate_Manage requires no privilege to execute. This does not disenfranchise an 
[Owner, since there is no Owner, and simplifies loading of tables during platform 
I manufacture or on first-boot. Burn-out of TPM non-volatile storage by inappropriate use is 
mitigated by the TPM's normal limits on NV -writes in the absence of an Owner. Tables can 
be locked after loading, to prevent subsequent tampering, and only unlocked by the Owner, 
his delegate, or the act of removing the Owner (even if there is no Owner). 

TPM_Delegate_Manage command is customized by opCode: 

(1) TPM_FAMILY_ENABLE enables /disables use of a family and all the rows of the delegate 
table belonging to that family, 

(2) TPM_FAMILY_ADMIN can be used to prevent further management of the Tables until an 
Owner is installed, or until the Owner is removed frorri the TPM. (Note that the Physical 
Presence command TPM_FdrceGlear always enables further management, even if 
TPM_ForceClear is used when no Owner is installed.) 

(3) TPM_FAMILY_CREATE creates a new family. Sessions are invalidated even in this case 
because the lastFamilylD could wrap. 

(4) TPM_FAMILY_INVALIDATE invalidates an existing family. 

End of informative comment. ; V • ' y ^ : . 
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246 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 




UBScnpiion 


# 


sz 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH1 _COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_Delegate_Manage 


4 


4 


2S 


4 


TPM_FAMlLY_ID 


familylD 


The familylD that is to be managed 


5 


4 


3s 


4 


TPM_FAM IL Y_0PERATI0N 


opCode 


Operation to be performed by this command. 


6 


4 


4s 


4 


UINT32 


opDataSize 


Size in bytes of opData 


7 


o 


5s 


o 


BYTE [] 


opData 


Data necessary to implement opCode 


8 


4 






TPM_AUTHHANDLE 


authHandle • 


The authorization session handle used for owner authenticate 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


9 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


11 


20 






TPM_AUTHDATA 


ownerAuth 


HMAC key: ownerAuth, 



247 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG I 


tag 


TPM_TAG_RSP_AUTH 1 _COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation 






2S 


4 


TPM_COMMAND_C ODE 


ordinal 


Command ordinal: TPMJDRD_Delegate_Manage 


4 


4 


3S 


4 


UINT32 


retDataSize 


Size in bytes of retData 


5 


o 


4S 


<> 


BYTE [ ] 


retData 


Returned data 


6 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TPM_AUTHDATA 


resAuth 


HMAC key: ownerAuth. 



248 Action 

249 1. If opCode != TPM_FAMILY_CREATE 

250 a. Locate familylD in the TPM_FAMILY_TABLE and set familyRow to indicate row, 

251 return TPM_BADINDEX if not found 

252 b. Set FR, a TPM_FAMILY_TABLE_ENTRY, to TPM_FAMILY_TABLE. famTableRow 

253 [familyRow] 

254 2. If tag = TPM_TAG_RQU_AUTHl_COMMAND 

255 a. Validate the command and parameters using ownerAuth, return TPM_AUTHFAIL on 

256 error 
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257 b. If the authHandle session type is TPM_PIDJDSAP 

258 i. If opCode = TPM_FAMILY_CREATE 

259 (1) The TPM MUST ignore familylD 

260 ii. Else 

261 (1) Verify that the familylD associated with authHandle matches the familylD 

262 parameter, return TPM_DELEGATE_FAMILY on error 

263 3. Else 

264 a. If TPM_PERMANENT_DATA -> ownerAuth is valid, return TPM_AUTHFAIL 

265 b. If opCode != TPM_FAMILY_CREATE and FR -> flags -> 

266 TPM_DELEGATE_ADMIN_LOCK is TRUE, return TPM_DELEGATE_LOCK 

267 c. Validate max NV writes without an owner 

268 i. Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite 

269 ii. Increment NV1 by 1 

270 iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES 

271 iv. Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV1 

272 4. The TPM invalidates sessions 

273 a. MUST invalidate all DSAP sessions 

274 b. MUST invalidate all OSAP sessions associated with the delegation table 

275 c. MUST set TPM_STCLEAR_DATA -> ownerReference to TPM_KH_OWNER 

276 d. MAY invalidate any other session 

277 5. If opCode — TPM_FAMILY_CREATE 

278 a. Validate that sufficient space exists within the TPM to store an additional family and 

279 map F2 to the newly allocated space. 

280 b. Validate that opData is a TPM_FAMILY_LABEL 

281 i. If opDataSize != sizeof(TPM_FAMILY_LABEL) return TPM_BAD_PARAM_SIZE 

282 c. Map F2 to a TPM_FAMILY_TABLE_ENTRY 

283 i. Set F2 -> tag to TPM_TAG_FAMILY_TABLE_ENTRY 

284 ii. Set F2 -> familyLabel to opData 

285 d. Increment TPM_PERMANENT_DATA -> lastFamilylD by 1 

286 e. Set F2 -> familylD = TPM_PERMANENT_DATA -> lastFamilylD 

287 f. Set F2 -> verificationCount = 1 

288 g. Set F2 -> flags -> TPM_FAMFLAG_ENABLED to FALSE 

289 h. Set F2 -> flags -> TPM_DELEGATE_ADMIN_LOCK to FALSE 

290 i. Set retDataSize = 4 

29 1 j . Set retData = F2 -> familylD 
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292 k. Return TPM_SUCCESS 

293 6. If authHandle is of type DSAP then continueAuthSession MUST set to FALSE 

294 7. If opCode == TPM_FAMILY_ADMIN 

295 a. Validate that opDataSize == 1, and that opData is a Boolean value. 

296 b. Set (FR -> flags -> TPM_DELEGATE_ADMIN_LOCK) = opData 

297 c. Set retDataSize = 0 

298 d. Return TPM_SUCCESS 

299 8. else If opCode == TPM_FAMILY_ENABLE 

300 a. Validate that opDataSize == 1, and that opData is a Boolean value. 

301 b. Set FR -> flags-> TPM_FAMFLAG_ENABLED = opData 

302 c. Set retDataSize = 0 

303 d. Return TPM_SUCCESS 

304 9. else If opCode == TPM_FAMILY_INVALIDATE 

305 a. Invalidate all data associated with familyRow 

306 i. All data is all information pointed to by FR 

307 ii. return TPM_SELFTEST_FAILED on failure 

308 b. Set retDataSize = 0 

309 c. Return TPM_SUCCESS 

310 10. Else return TPM_BAD_PARAMETER 
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311 

312 

313 
314 

315 
316 
317 

318 
319 

320 

321 



19.2 TPM_Delegate_CreateKey Delegation 



Start of informative comment: 



This command delegates privilege to use a key by creating a blob that can be used by 

— - DSAR ' ■: : ' 



There is no check for appropriateness of the key's key usage against the key permission 
settings. If the key usage is incorrect, this command succeeds, but the delegated command 
will fail. ° ; 

These blobs CANNOT be used as input data for TPM_LoadOwnerDelegatibn because the 
internal TPM delegate table can store owner delegations only. 



(TPM_Delegate_GreateOwnerDelegation must be used to delegate Owner privilege.) 
End of informative comment 



322 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1 _C0MMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MM/ND_C0DE 


ordinal 


Command ordinal: TPM_ORD_De!egate_CreateKeyDelegation. 


4 


4 






TPM_KEY„HANDLE 


key Handle 


The keyHandle identifier of a loaded key. 


5 


o 


2S 


o 


TPM_DELEGATE_PUBLIC 


publiclnfo 


The public information necessary to fill in the blob 


6 


20 


3S 


20 


TPM.ENCAUTH 


delAuth 


The encrypted new AuthData for the blob. The encryption key is the 
shared secret from the OSAP protocol. 


7 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for keyHandle authorization 






2H1 


20 


TPM.N0NCE 


authLastNonc eEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


Ignored 


10 


20 






TPM_AUTHDATA 


privAuth 


The authorization session digest that authorizes the use of keyHandle. 
HMAC key: key.usageAuth 
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324 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH 1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal TPM_ORD_Delegate_CreateKeyDelegation 


4 


4 


3S 


4 


UINT32 


blobSize 


The length of the returned blob 


5 


<> 


4S 


o 


TPMJDELEGATE_KEY_BLOB 


btob 


The partially encrypted delegation information. 


6 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag. Fixed value of FALSE 


8 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
key.usageAuth 



325 Description 

326 1. The use restrictions that may be present on the key pointed to by keyHandle are not 

327 enforced for this command. Stated another way, TPM_CreateKeyDelegation is not a use 

328 of the key. 

329 Action 

330 1 . Verify AuthData for the command and parameters using privAuth 

331 2. Locate publiclnfo -> familylD in the TPM_FAMILY_TABLE and set family Row to indicate 

332 row, return TPM_BADINDEX if not found 

333 3. If the key authentication is in fact a delegation, then the TPM SHALL validate the 

334 command and parameters using Delegation authorisation, then 

335 a. Validate that authHandle -> familylD equals publiclnfo -> familylD return 

336 TPM_DELEGATE_FAMILY on error 

337 b. If TPM_FAMILY_TABLE.famTableRow[ authHandle -> familylD] -> flags -> 

338 TPM_FAMFLAG_ENABLED is FALSE, return error TPM_DISABLED_CMD. 

339 c. Verify that the delegation bits in publiclnfo do not grant more permissions then 

340 currently delegated. Otherwise return error TPM_AUTHFAIL 

341 4. Check that publiclnfo -> delegateType is TPM_DEL_KEY _BITS 

342 5. Verify that authHandle indicates an OSAP or DSAP session return 

343 TPM_INVALID_AUTHHANDLE on error 

344 6. If authHandle indicates XOR encryption for the AuthData secrets 

345 a. Create XI the SHA-1 of the concatenation of (authHandle -> sharedSecret | | 

346 authLastNonceEven) 

347 b. Create al by XOR XI and delAuth 

348 7. Else 
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349 a. Create al by decrypting delAuth using the algorithm indicated in the OSAP session 

350 b. Key is from authHandle -> sharedSecret 

351 c. IVisSHA-1 of (authLastNonceEven | | nonceOdd) 

352 8. Create hi the SHA-1 of TPM_STORE_PUBKEY structure of the key pointed to by 

353 keyHandle 

354 9. Create Ml a TPM_DELEGATE_SENSITIVE structure 

355 a. Set Ml -> tag to TPM_TAG_DELEGATE_SENSITIVE 

356 b. Set Ml -> authValue to al 

357 c. The TPM MAY add additional information of a sensitive nature relative to the 

358 delegation 

359 10. Create M2 the encryption of Ml using TPM_E>ELEGATE_KEY 

360 11. Create P 1 a TPM_DELEGATE_KEY_BLOB 

361 a. Set PI -> tag to TPM_TAG_DELG_KEY_BLOB 

362 b. Set PI -> pubKeyDigest to HI 

363 c. Set PI -> pub to Publiclnfo 

364 d. Set PI -> pub -> verificationCount to familyRow -> verificationCount 

365 e. Set PI -> integrityDigest to NULL 

366 f. The TPM sets additionalArea and additionalAreaSize appropriate for this TPM. The 

367 information MAY include symmetric IV, symmetric mode of encryption and other data 

368 that allows the TPM to process the blob in the future. 

369 g. Set PI -> sensitiveSize to the size of M2 

370 h. Set PI -> sensitiveArea to M2 

37 1 12. Calculate H2 the HMAC of PI using tpmProof as the secret 

372 13. Set PI -> integrityDigest to H2 

373 14. Ignore continueAuthSession on input set continueAuthSession to FALSE on output 

374 15. Return PI as blob 
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375 

376 

377 
378 
379 

380 
381 
382 
383 
384 
385 
386 
387 
388 

389 
390 
391 
392 

393 

394 



19.3 TPM_Delegate_CreateOwnerDelegation 



Start of informative comment: V , 

TPM_Delegate_CreateOwnerDelegation delegates the Owner's privilege to use a set of 
command ordinals, by creating a blob. Such blobs can be used as input data for TPM_DSAP 
or TPM_Delegate_LoadOwnerDelegation. 

TPM_Delegate_CreateOwnerDelegation includes the ability to void all existing delegations 
(by incrementing the verification count) before creating the new delegation. This ensures 
that the new delegation will be the only delegation that can operate at Owner privilege in j 
this family. This new delegation could be used to enable a security monitor (a local separate 
[entity, or remote separate entity, or local host entity) to reinitialize a family and perhaps i 
perform external verification of delegation settings. Normally the ordinals for a delegated 
security monitor would include TPM_Delegate_CreateOwnerDelegation (this command) in 
order to permit the monitor to create further delegations, and 
TPM_Delegate_UpdateVerification to reactivate some previously voided delegations. 

If the verification count is incremented and the new delegation does not delegate any 
privileges (to any ordinals) at all, or uses an authorisation value that is then discarded, this 
family's delegations are all void and delegation must be managed using actual Owner 
authorisation. ; 

(TPM_Delegate_CreateKeyDelegation must be used to delegate privilege to use a key.) 
End of informative comment. ■ 1 



395 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH 1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


TPM_ORD_Delegate_CreateOwnerDelegation. 


4 


1 


2S 


1 


BOOL 


increment 


Flag dictates whether verificationCount will be incremented 


5 


<> 


3S 


<> 


TPM_DELEGATE_PUBLIC 


publiclnfo 


The public parameters for the blob 


\ 6 


20 


4S 


20 


TPM_ENCAUTH 


delAuth 


The encrypted new AuthData for the blob. The encryption key is tie 
shared secret from the OSAP protocol. 


7 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle TPM Owner authentication 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


Ignored 


10 


20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest. HMAC key:ownerAuth 
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396 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


tdm pommamh rnnc 


ordinal 


i rm_UKU_ueiegaie_ureaie\jwnerueiegaiion 


4 


4 


3S 


4 


UINT32 


blobSize 


The length of the returned blob 


5 


<> 


4S 


<> 


TPM DELEGATE.OWNER B 
LOB 


blob 


The partially encrypted delegation information. 


6 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag. Fixed value of FALSE 


8 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
cwnerAuth 



397 Action 

398 1. The TPM SHALL authenticate the command using TPM Owner authentication. Return 

399 TPM_AUTHFAIL on failure. 

400 2. Locate publiclnfo -> familylD in the TPM_FAMILY_TABLE and set family Row to indicate 

40 1 the row return TPM_BADINDEX if not found 

402 a. Set FR to TPM JFAMILY_TABLE . faxaTableRow[familyRow] 

403 3. If the TPM Owner authentication is in fact a delegation 

404 a. Validate that authHandle -> familylD equals publiclnfo -> familylD return 

405 TPM_DELEGATE_FAMILY on error 

406 b. If FR -> flags -> TPM^FAM FLAGMEN ABLED is FALSE, return error 

407 TPM_DISABLED_CMD. 

408 c. Verify that the delegation bits in publiclnfo do not grant more permissions then 

409 currently delegated. Otherwise, return error TPM_AUTHFAIL. 

410 4. Check that publiclnfo -> delegateType is TPM_DEL_OWNER_BITS 

411 5. Verify that authHandle indicates an OSAP or DSAP session return 

412 TPM_INVALID_AUTHHANDLE on error 

413 6 . If increment = = TRUE 

414 a. Increment FR -> verificationCount 

415 b. Set TPM_STCLEAR_D ATA- > ownerReference to TPM_KH_OWNER 

416 c. The TPM invalidates sessions 

417 i. MUST invalidate all DSAP sessions 

418 ii. MUST invalidate all OSAP sessions associated with the delegation table 
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419 iii. MAY invalidate any other session 

420 7. If authHandle indicates XOR encryption for the AuthData secrets 

421 a. Create XI the SHA-1 of the concatenation of (authHandle -> sharedSecret | | 

422 authLastNonceEven) 

423 b. Create al by XOR XI and delAuth 

424 8. Else 

425 a. Create al by decrypting delAuth using the algorithm indicated in the OSAP session 

426 b. Key is from authHandle -> sharedSecret 

427 c. IV is SHA-1 of (authLastNonceEven | | nonceOdd) 

428 9. Create Ml a TPM_DELEGATE_SENSITIVE structure 

429 a. Set Ml -> tag to TPMJTAG_DELEGATE_SENSITIVE 

430 b. Set Ml -> authValue to al 

431 c. Set other Ml fields as determined by the TPM vendor 

432 10. Create M2 the encryption of M 1 using TPM_DELEGATE_KEY 

433 1 1 . Create B 1 a TPM_DELEGATE_OWNER_BLOB 

434 a. Set Bl -> tag to TPM_TAG_DELG_OWNER_BLOB 

435 b. Set Bl -> pub to publiclnfo 

436 c. Set Bl -> sensitiveSize to the size of M2 

437 d. Set Bl -> sensitiveArea to M2 

438 e. Set Bl -> integrityDigest to NULL 

439 f. Set Bl -> pub -> verificationCount to FR -> verificationCount 

440 12. The TPM sets additionalArea and additionalAreaSize appropriate for this TPM. The 

441 information MAY include symmetric IV, symmetric mode of encryption and other data 

442 that allows the TPM to process the blob in the future. 

443 13. Create HI the HMAC of Bl using tpmProof as the secret 

444 14. Set Bl -> integrityDigest to HI 

445 15. Ignore continueAuthSession on input set continueAuthSession to FALSE on output 

446 1 6. Return B 1 as blob 
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447 

448 

449 
450 
451 
452 
453 

454 
455 
456 

457 
458 

459 

460 



19.4 TPMDelegateLoadOwnerDelegation 



Start of informative comment: 

This command loads a delegate table row blob into a non-volatile delegate table row. 
TPM_Delegate_LoadOwnerDelegation can be used during manufacturing or on first boot 
(when no Owner is installed), or after an Owner is installed- If an Owner is installed, 
TPM_Delegate_LoadOwnerDelegation requires Owner authorisation, and sensitive 
information must be encrypted. 

Burn-out of TPM non-volatile storage by inappropriate use is mitigated by the TPM 's normal 
limits on NV -writes in the absence of an Owner. Tables can be locked after loading using 
TPM_Delegate_Manage, to prevent subsequent tampering. i 

A management system outside the TPM is expected to manage the delegate table rows- 
stored on the [TPM , and can overwrite any previously stored data. 

This command cannot be used to load key delegation blobs into the TPM 

End of informative comment. 



461 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH 1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes ind. paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Ordinal: TPM_ORD_De!egate_LoadOwnerOelegation 


4 


4 


3S 


4 


TPMJDELEGATEJNDEX 


index 


The index of the delegate row to be written 


5 


4 


4S 


4 


UINT32 


blobSize 


The size of the delegate blob 


6 


o 


5S 


o 


TPM DELEGATEJDWNER 
_BL0B 


blob 


Delegation information, including encrypted portions as appropriate 


7 


4 






TPM^AUTHHANDLE 


authHandle 


The authorization session handle TPM Owner authentication 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


10 


20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest HMAC key:ownerAuth 
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462 Outgoing Operands and Sizes 



PAR/WI 


HMAC 


Type 


Name 


Description 


ff 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM _TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes 


3 


4 


1S 


4 


TPMJRESULT 


returnCode 


The return code of the operation 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


TPM_ORDJ)elegate_LoadOwnerDelegation 


5 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TPM_AUTHDATA 


resAuth 


Authorization HMAC key: ownerAuth. 



463 Actions 

464 1. Map blob to Dl a TPM_DELEG ATE_0 WNER_BLOB . 

465 a. Validate that Dl -> tag == TPM_TAG_DELEGATE„OWNER_BLOB 

466 2. Locate Dl -> pub -> familylD in the TPM_FAMILY_TABLE and set family Row to indicate 

467 row, return TPM_BADINDEX if not found 

468 3. Set FR to TPM_FAMILY_TABLE -> famTableRow[familyRow) 

469 4. If TPM Owner is installed 

470 a. Validate the command and parameters using TPM Owner authentication, return 

47 1 TPM_AUTHFAIL on error 

472 b. If the authHandle session type is TPM_PID_DSAP, verify that Dl -> pub -> familylD 

473 matches authHandle -> familylD, on error return TPM_DELEGATE_FAMILY 

474 5. Else 

475 a. If FR -> flags -> TPM_DELEGATE_ADMIN__LOCK is TRUE return 

476 TPM_DELEGATE_LOCK 

477 b. Validate max NV writes without an owner 

478 i. Set NV1 to PD -> noOwnerNVWrite 

479 ii. Increment NV1 by 1 

480 iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES 

481 iv. Set PD -> noOwnerNVWrite to NV1 

482 6. If FR -> flags -> TPM_FAMFLAGJENABLED is FALSE, return TPM_DISABLED_CMD 

483 7. If TPM Owner is installed, validate the integrity of the blob 

484 a. Copy Dl -> integrity Digest to H2 

485 b. Set Dl -> integrityDigest to NULL 

486 c. Create H3 the HMAC of Dl using tpmProof as the secret 
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487 d. Compare H2 to H3, return TPM__AUTHFAIL on mismatch 

488 8. If TPM Owner is installed, create SI a TPM_DELEGATE_SENSITIVE area by decrypting 

489 Dl -> sensitiveArea using TPM_DELEGATE_KEY. Otherwise set SI = Dl -> sensitiveArea 

490 9. Validate SI 

491 a. Validate that SI -> tag TPM_TAG_DELEGATE_SENSITIVE, return 

492 TPM_INVALID_STRUCTURE on error 

493 10. Validate that index is a valid value for delegateTable, return TPM_BADINDEX on error 

494 1 l.The TPM invalidates sessions 

495 a. MUST invalidate all DSAP sessions 

496 b. MUST invalidate all OSAP sessions associated with the delegation table 

497 c. MAY invalidate any other session 

498 12. Copy data to the delegate table row 

499 a. Copy the TPM_DELEGATE_PUBLIC from Dl -> pub to TPM_DELEGATE_TABLE -> 

500 delRow[index] -> pub. 

501 b. Copy the TPM_SECRET from SI -> authValue to TPM_DELEGATE_TABLE -> 

502 delRow[index] -> authValue. 

503 c. Set TPM_STCLEARJDATA-> ownerReference to TPM_KH_OWNER 

504 d. If authHandle is of type DSAP then continueAuthSession MUST set to FALSE 

505 13. Return TPM_SUCCESS 
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506 

507 

508 
509 

510 
511 
512 
513 

514 
515 



19-5 TPM_Delegate_ReadTable 



Start of informative comment: 

i^yy^-yyy ; :''-' S: -y'" y - yy''': • - ' y-yy;. y'-y ■. . '';/.■■': • \ ^^i-y^^% 
This command reads from the TPM the public contents of the family and delegate tables 
that are stored on the TPM. Such data is required during external verification of tables. 

There are no restrictions on the execution of this command; anyone can read this 
information regardless of the state of the PCRs, regardless of whether they know any 
specific AuthData value and regardless of whether or not the enable and admin bits are set 
one way or the other. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


n 


SZ 


1 


2 






TPMJTAG 


tag 


TPMJ*AG_RQU_C0MMAND 


2 


4 






U1NT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_Delegate_ReadTable 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_C0M MAN D 


2 


4 






UINT32 


paramSize 


Total number of output bytes inc luding paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_Delegate_ReadTable 


4 


4 


3S 


4 


UINT32 


familyTableSize 


Size in bytes of familyTable 


5 


o 


4S 


o 


BYTE [ ] 


famiVTable 


Array of TPM_FAMILY_TABLE_ENTRY elements 


6 


4 


5S 


4 


UINT32 


delegateTableSize 


Size in bytes of delegateTable 


7 


<> 


6S 


o 


BYTEQ 


delegateTable 


Array of TPM.DELEGATEJNDEX and TPM_DELEGATE_PUBLIC 
elements 



516 



517 

518 
519 

520 

521 
522 

523 

524 

525 



Actions 

1. Set familyTableSize to the number of valid families on the TPM times 
sizeof(TPM_FAMILY_TABLE_ELEMENT) . 

2. Copy the valid entries in the internal family table to the output array familyTable 

3. Set delegateTableSize to the number of valid delegate table entries on the TPM times 
(sizeof(TPM_DELEGATE_PU BLIC) + 4). 

4. For each valid entry 

a. Write the TPM_DELEGATE_INDEX to delegateTable 

b. Copy the TPM_DELEGATE_PUBLIC to delegateTable 
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527 19.6 TPM_De legate JJpdate Verification 

528 (Stkrt of informative cbmni^irt: . ^ ~~ " ' ~ "~"~~/. ™ ~ ~ ~- , 

529 |TPM UpdateVerification sets the verificationCount in an entity (a blob or a delegation row) I 

530 to the current family value, in order that the delegations represented by that; entity will; 

531 continue to be accepted by the TPM. : 

532 [End of informa tive c omment, 



533 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH 1 _C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_Delegate_UpdateVerification 


4 


4 


2S 


4 


UINT32 


inputSize 


The size of inputData 


5 


<> 


3S 


<> 


BYTE 


inputData 


TPM DELEGATE KEY BLOB or TPM DELEGATE OWNER BLOB 
or TPMJ3ELEGATEJNDEX 


6 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authenticate 






2H1 


20 


TPM_N0NCE 


authLastNonceEv en 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


9 


20 






TPM.AUTHDATA 


ownerAuth 


Authorization HMAC key. ownerAuth. 
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534 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH 1 _COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_Delegate_UpdateVerification 


4 


4 . 


3S 


4 


UINT32 


outputSize 


The size of the output 


5 


<> 


4S 


<> 


BYTE 


outputData 


TPM_DELEGATEJ<EY_BLOB or TPM_DELEGATE_OWNER_BLOB 


6 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPMJvJONCE 


nonceOdd 


Nonce generated by system associated with authHandie 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TPM„AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth. 



535 Actions 

536 1. Verify the TPM Owner, directly or indirectly through delegation, authorizes the command 

537 and parameters, on error return TPM_AUTHFAIL 

538 2. Determine the type of inputData (TPM_DELEGATE_TABLE_ROW or 

539 TPM_DELEGATE_OWNERJBLOB or TPM_DELEGATE_KEY_BLOB) and map Dl to that 

540 structure 

541 a. Mapping to TPM_DELEGATE_TABLE__ROW requires taking inputData as a tablelndex 

542 and locating the appropriate row in the table 

543 3. If Dl is a TPM_DELEGATE„OWNERJBLOB or TPM_DELEGATE_KEY_BLOB, validate the 

544 integrity of D 1 

545 a. Copy Dl -> integrityDigest to H2 

546 b. Set Dl -> integrityDigest to NULL 

547 c. Create H3 the HMAC of Dl using tpmProof as the secret 

548 d. Compare H2 to H3 return TPM_AUTHFAIL on mismatch 

549 4. Locate (Dl -> pub -> familylD) in the TPM_FAMILY_TABLE and set familyRow to indicate 

550 row, return TPM_BADINDEX if not found 

551 5. Set FR to TPM^FAMILY^TABLE.famTableRow [familyRow] 

552 6. If delegated, verify that family of the delegated Owner-auth is the same as Dl: 

553 (authHandie -> familylD) == (Dl -> pub -> familylD); otherwise return error 

554 TPM_DELEGATE_FAMILY 

555 7. If delegated, verify that the family of the delegated Owner-auth is enabled: if (authHandie 

556 -> familylD -> flags TPM_FAMFLAG_ENABLED) is FALSE, return TPM_DISABLED_CMD 

557 8. Set Dl -> verificationCount to FR -> verificationCount 
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558 9. If Dl is a TPMJDELEGATE_OWNERBLOB or TPM_DELEGATE_KEY_BLOB set the 

559 integrity of Dl 

560 a. Set Dl -> integrityDigest to NULL 

561 b. Create HI the HMAC of Dl using tpmProof as the secret 

562 c. Set Dl -> integrityDigest to HI 

563 10. If Dl is a blob recreate the blob and return it 
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564 19,7 TPM_Delegate_Verify Delegation 



567 
568 



565 Start of ^ ' vV^ :.' ' ,.■ -: - ^^-:-',' : '-\ r , -'^J j 

566 TPM-VerifyDelegation interprets a delegate blob and returns success or failure, depending 



on whether the blob is currently valid. The delegate blob is NOT loaded into the TPM. 
End of informative comment. 



569 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal, TPM_Delegate_VerifyDelegation 


4 


4 


2S 


4 


UINT32 


delegationSize 


The length of the delegated information blob 


5 


<> 


3S 


<> 


BYTE[] 


delegation 


TPM_DELEGATE_KEY_BLOB or TPM_DELEGATE__OWNER_BLOB 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal, TPM_Delegate_VerifyDelegation 



570 



571 


Actions 




572 
573 


1. 


Determine the type of blob, If delegation -> 
TPM_TAG_DELGATE_OWNER_BLOB then 


tag is equal to 


574 




a. Map Dl a TPM_DELEGATE_OWNER_BLOB to delegation 




575 


2. 


Else if delegation -> tag = TPM_TAG_DELG_KEY_BLOB 




576 




a. Map Dl a TPM_DELEGATE_KEY_BLOB to delegation 




577 


3. 


Else return TPM_BAD_PARAMETER 




578 
579 


4. 


Locate Dl -> familylD in the TPM_FAMILY_TABLE and set familyRow to indicate row, 
return TPM_BADINDEX if not found 


580 


5. 


Set FR to TPM_FAMILY_TABLE. famTableRow [familyRow] 




581 


6. 


If FR -> flags TPM_FAMFLAG_ENABLED is FALSE, return TPM_DISABLED_CMD 


582 
583 


7. 


Validate that Dl -> pub -> verificationCount matches FR 
mismatch return TPM_FAMILYCOUNT 


-> verificationCount, on 


584 


8. 


Validate the integrity of D 1 




585 




a. Copy Dl -> integrityDigest to H2 
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586 b. Set Dl -> integrityDigest to NULL 

587 c. Create H3 the HMAC of Dl using tpmProof as the secret 

588 d. Compare H2 to H3 return TPM_AUTHFAIL on mismatch 

589 9. Create SI a TPM_DELEGATE_SENSITIVE area by decrypting Dl -> sensitiveArea using 

590 TPM_DELEGATE_KEY 

591 10. Validate SI values 

592 a. SI -> tag is TPM_TAG_DELEGATE_SENSTIVE 

593 b. Return TPM_BAD_PARAMETER on error 

594 1 1 . Return TPM_SUCCESS 
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595 20. Non-volatile Storage 

596 [Start of informative comment: 

597 This section handles the allocation and use of the TPM non~ volatile storage. 



598 



End of informative comment. 



599 If nvlndex refers to the DIR, the TPM ignores actions containing access control checks that 

600 have no meaning for the DIR. The TPM only checks the owner authorization. 
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601 

602 

603 

604 
605 

606 

607 
608 

609 
610 



20.1 



TPM_NV_DefineSpace 



Start of informative comment: 

This establishes the space necessary for the indicated index. The definition will include the 
access requirements for writing and reading the area. 

The space definition size does not include the area needed to manage the space. 

Setting TPM_PERMANENT_FLAGS -> nvLocked TRUE when it is already TRUE is not an 
error/ ' . ■' - '• ■ ' ' 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Ordinal, TPM_ORD_NVJDefineSpace 


4 


o 


2S 


o 


TPM_NV_DATA_PUBL!C 


publnfo 


The public parameters of the NV area 


5 


20 


3S 


20 


TPM.ENCAUTH 


encAuth 


The encrypted AuthData, only valid if the attributes require subsequent 
authorization 


6 


4 






TPM_AUTH H AN DLE 


authHandle 


The authorization session handle used for ownerAuth 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3H1 


20 


TPMJslONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


9 


20 






TPM.AUTHDATA 


ownerAuth 


The authorization session digest HMAC key: ownerAuth 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


ordinal, TPM_ORD_NV_DefineSpace 


4 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed to FALSE 


6 


20 






TPM.AUTHDATA 


ownerAuth 


The authorization session digest HMAC key: ownerAuth 



611 



612 
613 



Actions 

1. If publnfo -> nvlndex == TPM_NV_INDEX_LOCK and tag = TPM_TAG_RQU_COMMAND 
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614 a. If publnfo -> dataSize is not 0, the command MAY return TPM_BADINDEX. 

615 b. Set TPM.PERM ANENT_FLAGS - > n vLocked to TRUE 

616 c. Return TPM.SUCCESS 

617 2. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks except 

618 for the Max NV writes are ignored 

619 a. Ignored checks include physical presence, authorization, 'D' bit check, index 0, 

620 bGlobalLock, no authorization with a TPM owner present, and bWriteSTClear 

621 3. If publnfo -> nvlndex has the D bit (bit 28) set to a 1 or publnfo -> nvlndex == 0 then 

622 a. Return TPM_BADINDEX 

623 b. The D bit specifies an index value that is set in manufacturing and can never be 

624 deleted or added to the TPM 

625 c. Index value of 0 is reserved and cannot be defined 

626 4. If tag = TPM_TAG_RQU_AUTH l_COMMAND then 

627 a. The TPM MUST validate the command and parameters using the TPM Owner 

628 authentication and ownerAuth, on error return TPM_AUTHFAIL 

629 b. authHandle session type MUST be OSAP 

630 c. If authHandle indicates XOR encryption for the AuthData secrets 

631 i. Create XI the SHA-1 of the concatenation of (authHandle -> sharedSecret | | 

632 authLastNonceEven) 

633 ii. Create al by XOR XI and encAuth 

634 d. Else 

635 i. Create al by decrypting encAuth using the algorithm indicated in the OSAP 

636 session 

637 ii. Key is from authHandle -> sharedSecret 

638 iii. IV is SHA-1 of (authLastNonceEven | | nonceOdd) 

639 5. else 

640 a. Validate the assertion of physical presence. Return TPM_BAD_PRESENCE on error. 

641 b. If TPM Owner is present then return TPM_OWNER_SET. 

642 c. If publnfo -> dataSize is 0 then return TPM.J3 AD_JD ATASIZE . Setting the size to 0 

643 represents an attempt to delete the value without TPM Owner authentication. 

544 d. Validate max NV writes without an owner 

645 i. Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite 

646 ii. Increment NV1 ty 1 

647 iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES 

648 iv. Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV1 

649 e. Set Al to encAuth. There is no nonce or authorization to create the encryption string, 

650 hence the AuthData value is passed in the clear 
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651 6. If publnfo -> nvlndex points to a valid previously defined storage area then 

652 a. Map Dl a TPMJW_DATA_SENSITIVE to the storage area 

653 b. If Dl -> attributes specifies TPMJW.PERJ3LOBALLOCK then 

654 i. If TPM_STCLEAR_FLAGS -> bGlobalLock is TRUE then return 

655 TPM_AREA_LOCKED 

656 c. If Dl -> attributes specifies TPM_NVJPER_WRITE_STCLEAR 

657 i. If Dl -> publnfo -> bWriteSTClear is TRUE then return TPM_A RE A_LO C KE D 

658 d. Invalidate the data area currently pointed to by Dl and ensure that if the area is 

659 reallocated no residual information is left 

660 e. The TPM invalidates authorization sessions 

661 i. MUST invalidate all authorization sessions associated with Dl 

662 ii. MAY invalidate any other authorization session 

663 f. If publnfo -> dataSize is 0 then return TPM_SUCCESS 

664 7. Parse publnfo -> pcrlnfoRead 

665 a. Validate pcrlnfoRead structure on error return TPMJNVALID_STRUCTURE 

666 i. Validation includes proper PCR selections and locality selections 

667 8. Parse publnfo -> per Info Write 

668 a. Validate pcrlnfo Write structure on error return TPM_INVALID_STRUCTURE 

669 i. Validation includes proper PCR selections and locality selections 

670 b. If pcrlnfo Write -> localityAtRelease disallows some localities 

67 1 i . Set writeLocalities to TRUE 

672 c. Else 

673 i. Set writeLocalities to FALSE 

674 9. Validate that the attributes are consistent 

675 a. The TPM SHALL ignore the bReadSTClear, bWriteSTClear and bWriteDefine 

676 attributes during the execution of this command 

677 b. If TPM_NV_PER_OWNERWRITE is TRUE and TPM_NV_PER_AUTHWRITE is TRUE 

678 return TPM_AUTH_CONFLICT 

679 c. If TPM_NV_PER_OWNERREAD is TRUE and TPM_NV_PER_AUTHREAD is TRUE 

680 return TPM^AUTH.CONFLICT 

681 d. If TPM_NV_PER_OWNERWRITE and TPM_NVJPER_AUTHWRITE and 

682 TPMJW_PERJWRITEDEFINE and TPM_NV_PER_PPWRITE and writeLocalities are all 

683 FALSE 

684 i. Return TPM_PER_NOWRITE 

685 e. Validate nvlndex 

686 i. Make sure that the index is applicable for this TPM return TPMJ3ADINDEX on 

687 error. A valid index is platform and context sensitive. That is attempting to 
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688 validate an index may be successful in one configuration and invalid in another 

689 configuration. The individual index values MUST indicate if there are any 

690 restrictions on the use of the index. 

69 1 f . If dataSize is 0 return TPM J3ADJPARAM_SIZE 

692 1 0. Create D 1 a TPM_NV_DATA_SENSITIVE structure 

693 1 1. Validate that sufficient NV is available to store the data 

694 a. return TPM_NOSPACE if publnfo -> dataSize is not available in the TPM 

695 12. Ensure that the TPM reserves the space for dataSize 

696 a. Set all bytes in the newly defined area to OxFF 

697 13. Set Dl -> publnfo to publnfo 

698 14. Set Dl -> authValue to Al 

699 15. Set Dl -> publnfo -> bReadSTClear = FALSE; 

700 16. Set Dl -> publnfo -> bWriteSTClear = FALSE; 

701 17. Set Dl -> publnfo -> bWriteDefine = FALSE; 

702 18. Ignore continue AuthSession on input and set to FALSE on output 

703 19. Return TPM_SUCCESS 
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704 

705 

706 
707 
708 

709 
710 



20.2 



TPM NV WriteValue 



Start of informative comment: 

This command writes the value to a defined area. The write can be TPM Owner authorized 
or unauthorized and protected by other attributes arid will work when no TPM Owner is 



present. 

[End of informative comment. 

•.„•;_ — „ j : — ; -v. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH 1 _C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Ordinal, TPM_ORD_NV_WriteValue 


4 


4 


2S 


4 


TPM_NV_INDEX 


nvlndex 


The index of the area to set 


5 


4 


3S 


4 


UINT32 


offset 


The offset into the NV Area 


6 


4 


4S 


4 


UINT32 


dataSize 


The size of the data parameter 


7 


<> 


5S 


<> 


BYTE 


data 


The data to set the area to 


8 


4 






TPM_AUTH HANDLE 


authHandle 


The authorization session handle used for TPM Owner 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


9 


20 


3H1 


20 


TPM_N0NCE 


authNonceOdd 


Nonce generated by caller 


10 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


11 


20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest HMAC key: ownerAuth 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH 1_COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


ordinal, TPM_ORDJW_WriteValue I 


4 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


authNonceOdd 


Nonce generated by caller 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM J\UTH DATA 


ownerAuth 


The authorization session digest HMAC key: ownerAuth 



711 



712 

713 
714 

715 
716 



Actions 

1. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks except 
for the max NV writes are ignored 

a. Ignored checks include physical presence, authorization, 

TPM_NV_PER_0 WNERWRITE , and PCR 
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717 2. If nvlndex = 0 then 

718 a. If dataSize is not 0, return TPM_BADINDEX. 

719 b. Set TPM_STCLEAR_FLAGS -> bGlobalLock to TRUE 

720 c. Return TPM_SUCCESS 

721 3. Locate and set Dl to the TPM_NV_DATA_AREA that corresponds to nvlndex, return 

722 TPM_BADINDEX on error 

723 a. If nvlndex = TPM_NV_INDEX_DIR, set Dl to TPM_PERMANENT_DATA -> authDir[0] 

724 4. If Dl -> permission -> TPM_NV_PER_AUTHWRITE is TRUE return 

725 TPM_AUTH_CONFLICT 

726 5. If tag = TPM_TAG_RQU_AUTHl_COMMAND then 

727 a. If Dl -> permission -> TPM_NV_PER_OWNERWRITE is FALSE return 

728 TPM_AUTH_CONFLICT 

729 b. Validate command and parameters using ownerAuth HMAC with TPM Owner 

730 authentication as the secret, return TPM_AUTHFAIL on error 

731 6. Else 

732 a. If Dl -> permission -> TPM_NV_PER_OWNERWRITE is TRUE return 

733 TPM_AUTH_CONFLICT 

734 b. If no TPM Owner validate max NV writes without an owner 

735 i. Set NV1 to TPM_PERMANENT_DATA -> noOwnerNVWrite 

736 ii. Increment NV1 by 1 

737 iii. If NV1 > TPM_MAX_NV_WRITE_NOOWNER return TPM_MAXNVWRITES 

738 iv. Set TPM_PERMANENT_DATA -> noOwnerNVWrite to NV1 

739 7. Check that Dl -> pcrlnfoWrite -> localityAtRelease for TPM_STANY_DATA -> 

740 localityModifier is TRUE 

741 a. For example if TPM_STANY_DATA -> localityModifier was 2 then Dl -> pcrlnfo -> 

742 localityAtRelease -> TPM_LOC_TWO would have to be TRUE 

743 b. On error return TPM_BAD_LOCALITY 

744 8. If Dl -> attributes specifies TPM_NV_PER_PPWRITE then validate physical presence is 

745 asserted if not return TPM_BAD_PRESENCE 

746 9. If Dl -> attributes specifies TPM_NV_PER_WRITEDEFINE 

747 a. If Dl -> bWriteDefine is TRUE return TPM_AREA_LOCKED 

748 10. If Dl -> attributes specifies TPM_NV_PER_GLOBALLOCK 

749 a. If TPM_STCLEAR_DATA -> bGlobalLock is TRUE return TPM_AREA_LOCKED 

750 1 1 . If D 1 - > attributes specifies TPM_NV_PER_WRITE_STCLEAR 

751 a. If Dl ->bWriteSTClear is TRUE return TPM_AREA_LOCKED 

752 12. If Dl -> pcrlnfoWrite -> pcrSelection specifies a selection of TPM_STCLEAR_DATA -> 

753 PCR[] 
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754 a. Create PI a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by Dl -> 

755 pcrlnfoWrite 

756 b. Compare PI to Dl -> pcrlnfoWrite -> digestAtRelease return TPM_WRONGPCRVAL 

757 on mismatch 

758 1 3 . If dataSize = 0 then 

759 a. Set Dl -> bWriteSTClear to TRUE 

760 b. Set Dl -> bWriteDefine to TRUE 

761 14. Else 

762 a. Set SI to offset + dataSize 

763 b. If SI > Dl -> dataSize return TPM_NOSPACE 

764 c. If Dl -> attributes specifies TPM_NV_PER_WRITEALL 

765 i. If dataSize != Dl -> dataSize return TPM_NOT_FULLWRITE 

766 d. Write the new value into the NV storage area 

767 15. Set Dl -> bReadSTClear to FALSE 

768 1 6. Return TPM_SUCCESS 
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769 20.3 TPM_NV_WriteValueAuth 

770 Start of informative comment: : ^r--^- : — — --—|p-^p- 

77 1 This command writes to a previously defined area. The area must require authorization to 

772 write . Use this command ywhen authorization other than the, owner authorization is to be 

773 used. Otherwise, use TPMl"lW_lWriteValue. 

774 | End of informative comment* 

L„: .* , , ; ; : ,™ ........ * , • „ .. .;.x.^ _™ „„ . , i,: i.^;...^ 

775 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


Tag 


TPM_TAG_RQU_AUTH 1 _COM MAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.COMMANDCODE 


ordinal 


Ordinal, TPM_ORD_NV_WriteValueAuth 


4 


4 


2S 


4 


TPM.NVJNDEX 


nvlndex 


The index of the area to set 


5 


4 


3S 


4 


UINT32 | 


offset 


The offset into the chunk 


6 


4 


4S 


4 


UINT32 


dataSize 


The size of the data area 


7 


<> 


5S 


<> 


BYTE 


data 


The data to set the area to 


8 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for NV element authorization 






2H1 


20 


TPM_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


9 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


11 


20 






TPM_AUTHDATA 


authValue 


HMAC key: NV element auth value 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


ordinal, TPM_ORD_N V.WriteValueAuth 


4 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


NonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM_AUTHDATA 


authValue 


HMAC key: NV element auth value 



777 Actions 

778 1. Locate and set Dl to the TPMJW_DATA_AREA that corresponds to nvlndex, return 

779 TPM_BADINDEX on error 

780 2. If Dl -> attributes does not specify TPMJW_PER_AUTHWRITE then return 

78 1 TPM_AUTH_CONFLICT 
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782 3. Validate authValue using Dl -> authValue, return TPM_AUTHFAIL on error 

783 4. Check that Dl -> pcrlnfo Write -> localityAtRelease for TPM_STANY_DATA -> 

784 localityModifier is TRUE 

785 a. For example if TPM_STANY_DATA -> localityModifier was 2 then Dl -> pcrlnfo -> 

786 localityAtRelease -> TPM_LOC_TWO would have to be TRUE 

787 b. On error return TPM_B AD_LO C ALITY 

788 5. If Dl -> attributes specifies TPM_NV_PER_PPWRITE then validate physical presence is 

789 asserted if not return TPM_BAD_PRESENCE 

790 6. If Dl -> pcrlnfo Write -> pcrSelection specifies a selection of PCR 

791 a. Create PI a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by Dl -> 

792 pcrlnfoWrite 

793 b. Compare PI to digestAtRelease return TPM_WRONGPCRVAL on mismatch 

794 7. If Dl -> attributes specifies TPM_NV_PER_WRITEDEFINE 

795 a. If Dl -> bWriteDefine is TRUE return TPM_AREA_LOCKED 

796 8. If Dl -> attributes specifies TPM_NV_PER_GLOBALLOCK 

797 a. If TPM_STCLEAR_FLAGS -> bGlobalLock is TRUE return TPM_AREA_LOCKED 

798 9. If Dl -> attributes specifies TPM_NV_PER_WRITE_STCLEAR 

799 a. If Dl -> bWriteSTClear is TRUE return TPM_AREA_LOCKED 

300 10. If dataSize - 0 then 

301 a. Set Dl -> bWriteSTClear to TRUE 

302 b. Set Dl -> bWriteDefine to TRUE 

303 11. Else 

304 a. Set SI to offset + dataSize 

305 b. If SI > Dl -> dataSize return TPM_NOSPACE 

306 c. If Dl -> attributes specifies TPM_NV_PER_WRITEALL 

307 i. If dataSize != Dl -> dataSize return TPM_NOT_FULLWRITE 

308 d. Write the new value into the NV storage area 

309 12. Set Dl -> bReadSTClear to FALSE 

310 13. Return TPM_SUCCESS 
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Sll 

812 

813 

814 
815 
316 
317 

318 



20.4 



TPM NV ReadValue 



Start of informative comment: 

Read a value from the NV store. This command uses optional owner authentication. 

Action 1 indicates that if the NV are is not locked then reading of the NV area continues 
without ANY authorization. This is intentional and allows a platform manufacturer to set 
the NV areas, read them back, and then lock them all without having to install a TPM 
owner. ; ' • • ' ' 7; 

End of informative comment. 



319 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPNTTAG 


tag 


TPM_TAG_RQU_AUTH 1 _C0M MAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_C ODE 


ordinal 


Ordinal, TPM_ORD_NV_ReadValue 


4 


4 


2S 


4 


TPM.NVJNDEX 


nvlndex 


The index of the area to set 


5 


4 


3S 


4 


U1NT32 


offset 


The offset into the area 


6 


4 


4S 


4 


UINT32 


dataSize 


The size of the data area 


7 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for TPM Owner authorization 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPM.NONCE 


authNonceOdd 


Nonce generated by caller 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


10 


20 






TPM_AUTHDATA 


ownerAuth 


HMAC key: ownerAuth 



320 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 




TPM.RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


TPM_ORD_NV_ReadValue 


4 


4 


3S 


4 


UINT32 


dataSize 


The size of the data area 


5 


<> 


4S 


o 


BYTE 


data 


The data to set the area to 


6 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TPM.AUTHDATA 


ownerAuth 


HMAC key: ownerAuth 



321 Actions 
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322 1. If TPM_PERMANENT_FLAGS -> nvLocked is FALSE then all authorization checks are 

323 ignored 

324 2. Set Dl a TPM_NV_DATA_AREA structure to the area pointed to by nvlndex, if not found 

325 return TPM_BADINDEX 

326 a. If nvlndex = TPM_NV_INDEX_DIR, set Dl to TPM_PERMANENT_DATA -> authDir[0] 

327 3. If tag = TPM_TAG_RQU_AUTHl_COMMAND then 

328 a. If Dl -> TPM_NV_PER_OWNERREAD is FALSE return TPM_AUTH_CONFLICT 

329 b. Validate command and parameters using TPM Owners authentication on error return 

330 TPM_AUTHFAIL 

331 4. Else 

332 a. If Dl -> TPM_NV_PER_AUTHREAD is TRUE return TPM_AUTH_CONFLICT 

333 b. If Dl -> TPM_NV_PER_OWNERREAD is TRUE return TPM_AUTH_CONFLICT 

334 5. Check that Dl -> pcrlnfoRead -> localityAtRelease for TPM_STANY_DATA -> 

335 localityModifier is TRUE 

336 a. For example if TPM_STANY_DATA -> localityModifier was 2 then Dl -> pcrlnfo -> 

337 localityAtRelease -> TPM_LOC_TWO would have to be TRUE 

338 b. On error return TPM_B AD_LO C ALITY 

339 6. If Dl -> attributes specifies TPM_NV_PER_PPREAD then validate physical presence is 

340 asserted if not return TPM_BAD_PRESENCE 

341 7. If Dl -> TPM_NV_PER_READ_STCLEAR then 

342 a. If D 1 -> bReadSTClear is TRUE return TPM_DISABLED_CMD 

343 8. If Dl -> pcrlnfoRead -> pcrSelection specifies a selection of PCR 

344 a. Create PI a composite hash of the TPM_STCLEAR_DATA -> PCR[] specified by Dl -> 

345 pcrlnfoRead 

346 b. Compare PI to Dl -> pcrlnfoRead -> digestAtRelease return TPM_WRONGPCRVAL on 

347 mismatch 

348 9. If dataSize is 0 then 

349 a. Set Dl -> bReadSTClear to TRUE 

350 b. Set data to NULL 

351 10. Else 

352 a. Set SI to offset + dataSize 

353 b. If SI > Dl -> dataSize return TPM_NOSPACE 

354 c. Set data to area pointed to by offset 

355 1 1 . Return TPM_SUCCESS 
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356 20.5 

357 
358 
359 



TPM_NV_ReadValueAuth 



^^^^^^ „„„ r ^ r , 

Start of informative comment: 

l^.-V-.' -y,. t \ \ .. , -. : . • • = V'M, P.-.^-v ■.•rji* " ... \ xy V , - A L'v *' <. • . ' . • " , ..»».' .. .-. - .J''. 

This command requires that the read be authorized by a value set with the blob. 
End of informative comment. 



360 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1 _COM MAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM__COMMAND_CODE 


ordinal 


Ordinal, TPM_ORD_NV_ReadValueAuth 


4 


4 


2S 


4 


TPM_NV_INDEX 


nvlndex 


The index of the area to set 


5 


4 


3S 


4 


UNIT32 


offset 


The offset from the data area 


6 


4 


5S 


4 


UINT32 


dataSize 


The size of the data area 


7 


4 






TPM JUJTHHANDLE 


authHandle 


authThe auth handle for the NV element authorization 






2H1 


20 


TPM_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPMJMONCE 


authNonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


authContinueSession 


The continue use flag for the authorization session handle 


10 


20 






TPM_AUTHDATA 


authHmac 


HMAC key: nv element authorization 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH 1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM.COMMAND.CODE 


ordinal 


ordinal, TPM_ORDNV_ReadValueAuth 


4 


4 


3S 


4 


UINT32 


dataSize 


The size of the data area 


5 


<> 


4S 


0 


BYTE 


data 


The data 


6 


20 


2H1 


20 


TPM_NONCE 


authNonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


authLastNonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


authContinueSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TPM_AUTHDATA 


authHmacOut 


HMAC key: nv element authorization 



862 

363 
364 

365 

866 



Actions 

1. Locate and set Dl to the TPM_NV_DATA_AREA that corresponds to nvlndex, on error 
return TPM_BADINDEX 

2. If Dl -> TPM_NV_PER_AUTHREAD is FALSE return TPM_AUTH_CONFLICT 

3. Validate authHmac using Dl -> authValue on error return TPM_AUTHFAIL 
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367 4. If Dl -> attributes specifies TPM_NV_PER_PPREAD then validate physical presence is 

368 asserted if not return TPM_BAD_PRESENCE 

369 5. Check that Dl -> pcrlnfoRead -> localityAtRelease for TPM_STANY_DATA -> 

370 localityModifier is TRUE 

371 a. For example if TPM_STANY_DATA -> localityModifier was 2 then Dl -> pcrlnfo -> 

372 localityAtRelease -> TPM_LOC_TWO would have to be TRUE 

373 b. On error return TPM„BAD_LOCALITY 

374 6. If Dl -> pcrlnfoRead -> pcrSelection specifies a selection of PCR 

375 a. Create PI a composite hash of the TPM_STCLEA R_D ATA -> PCR[] specified by Dl -> 

376 pcrlnfoRead 

377 b. Compare PI to Dl -> pcrlnfoRead -> digestAtRelease return TPM_WRONGPCRVAL on 

378 mismatch 

379 7. If D 1 specifies TPMJW_PER_READ_STCLEAR then 

380 a. If Dl -> bReadSTClear is TRUE return TPM_DISABLED_CMD 

381 8. If dataSize is 0 then 

382 a. Set Dl -> bReadSTClear to TRUE 

383 b. Set data to NULL 

384 9. Else 

385 a. Set SI to offset + dataSize 

386 b. If SI > Dl -> dataSize return TPM^NOSPACE 

387 c. Set data to area pointed to by offset 

388 10. Return TPM„SUCCESS 
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21. Session Management 



Start of informative comment: 

Three TPM_RTjCONTEXT session resources located in TPM_STANYJ3ATA work together to 
control session save and load: contextNonceSession, contextCount, and contextList[] . 

All three MUST initialized at TPM_Startup(ST_ANY), wWch : invalidates all saved sessions. 
They MAY be restored by TPM Startup (ST STATE), which would allow saved sessions to be 
loaded. The operation is reported as the TPM^RT^CONTEXT startup effect. 

TPM_SaveContext creates a contextBlob containing an encrypted contextNoriceSession. The 
nonce is checked by TPM_Ix)adContext. So initializing contextNonceSession invalidates all 
saved contexts. The nonce is large and protected, making a replay infeasible. 

The contextBlob also contains a public but protected contextCount. The count increments 
for each saved contextBlob. The TPM also saves contextCount in contextListf] . The TPM 
validates contextBlob , against the contextList[] during TPM_LoadCpntext. Since the 
contextList[] is finite, it limits the number of valid saved sessions. Since the contextCount 
cannot be allowed to wrap, it limits the total number of saved sessions. 

After a contextBlob is loaded, its contextCount entry is removed from contextList[]. This 
releases space in the context list for future entries . It also invalidates the contextBlob . So a 
saved contextBlob can be loaded only once. 

TPM_FlushSpecific can also specify a contextCount to be removed from the contextListf], 
allowing invalidation of an individual contextBlob. Ttiis is different from TPM_FlushSpecific 
specifying a session handle, which invalidates a loaded session, not a saved contextBlob. 

End of informative comment. ' _ _ ._ 



912 


21.1 TPM_KeyControlOwner 


913 


Start of informative comment: 


914 


This command controls some attributes of keys that are stored within the TPM key cache. 


915 
916 
917 


OwnerEvict: If this bit is set to true, this key remains in the TPM through all TPM_Startup 
events. The only way to evict this key is for the TPM Owner to execute this command again, 
setting the owner control bit to false and then executing TPM_FlushSpecific. 


918 


The key handle does not reference an authorized entity and is not validated. 


919 


End of informative comment. 


920 


Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH 1 .COMMAND j 


2 


4 






UINT32 


paramSize 


Total number of input bytes incl. paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_KeyControlOwner 


4 


4 






TPM_KEY_HAN DLE 


keyHandle 


The handle of a loaded key. 
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5 


<> 


2S 


o 


TPM_PUBKEY 


pubKey 


The public key associated with the loaded key 


6 


4 


3S 


4 


TPM_KEY_C0NTR0L 


bitName 


The name of the bit to be modified 


7 


1 


4S 


1 


BOOL 


bitValue 


The value to set the bit to 


8 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication 


9 




2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


10 


20 


3H1 


20 


TPM.N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


11 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


12 


20 




20 


TPM_AUTHDATA 


ownerAuth 


HMAC authorization: tey ownerAuth 



921 Outgoing Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal :TPM_ORD_KeyControlOwner 


4 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM. 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM_AUTHDATA 


resAuth 


HMAC authorization: key ownerAuth 



922 Descriptions 

923 1 . Set an internal bit within the key cache that controls some attribute of a loaded key. 

924 Actions 

925 1. Validate the AuthData using the owner authentication value, on error return 

926 TPM_AUTHFAIL 

927 2. Validate that keyHandle refers to a loaded key, return TPMJNVALID__KEYHANDLE on 

928 error. 

929 3. Validate that pubKey matches the key held by the TPM pointed to by keyHandle, return 

930 TPM_BAD_PARAMETER on mismatch 

931 a. This check added so that virtualization of the keyHandle does not result in attacks as 

932 the keyHandle is not associated with an authorization value 

933 4. Validate that bitName is valid, return TPMJBADJVIODE on error. 

934 5. If bitName == TPM_KEY_CONTROL_OWNER_EVICT 

935 a. If bitValue == TRUE 

936 i. Verify that after this operation at least two key slots will be present within the 

937 TPM that can store any type of key both of which do NOT have the OwnerEvict bit 

938 set, on error return TPM_NOSPACE 
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939 ii. Verify that for this key handle, pare ntPCRStatus is FALSE and isVolatile is 

940 FALSE. Return TPM_BAD_PARAMETER on error. 

941 iii. Set ownerEvict within the internal key storage structure to TRUE. 

942 b. Else if bitValue == FALSE 

943 i. Set ownerEvict within the internal key storage structure to FALSE. 

944 6. Return TPM_SUCCESS 
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945 

946 

947 
948 
949 

950 
951 
952 
953 

954 
955 
956 
957 
958 

959 
960 



21.2 TPM SaveContext 



Start of informative comment: 

TPM_SaveContext saves a loaded resource outside the TPM . After successful , execution of 
the command, the TPM automaticaUy releases the internal memory for sessions but leaves 
keys in place. . 'rC^,^-: .^:,^.:d^.-^ ' 'd-^S'r--'.- &^d:^^ \ ' 

There is no assumption that a saved context blob is stored in a safe, protected area. Since 
the context blob can be loaded at any time, do not rely on TPM_SaveContext to restrict 
access to an entity such as a key. If use of the entity should be restricted, means such as 
authorization secrets or PCR's should be used. 

In general, TPM__SaveContext can save a transport session. However, it cannot save an 
exclusive transport session, because any ordinal other than TPM_ExecuteTransport 
terminates the exclusive transport 5 session. This action prevents the exclusive transport 
session from being saved and reloaded while intervening commands are hidden from the 
transport log. ■ . v"'^""-^/----^-.. \-r.^\ 

End of informative comment, ;•: ;- ' 



Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_SaveContext 


4 


4 






TPM_HANDLE 


handle 


Handle of the resource being saved. 


5 


4 


2S 


4 


TPM_RESOURCE_TYPE 


resourceType 


The type of resource that is being saved 


6 


16 


3S 


16 


BYTE{16] 


label 


Label for identification purposes 


Ou 


tgoing Parameters and Sizes 


PARAM 


HMAC ; 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_SaveContext 


4 


4 


3S 


4 


UINT32 


contextSize 


The actual size of the outgoing context blob 


5 


<> 


4S 


o 


TPM_C0NTEXT_BL0B 


contextBlob 


The context blob 



961 



962 

963 
964 
965 



Description 

1. The caller of the function uses the label field to add additional sequencing, anti -replay or 
other items to the blob. The information does not need to be confidential but needs to be 
part of the blob integrity. 
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966 Actions 

967 1. Map VI to TPM_STANY_DATA 

968 2. Validate that handle points to resource that matches resourceType, return 

969 TPM_INVALID_RESOURCE on error 

970 3. Validate that resourceType is a resource from the following list if not return 

97 1 TPM_INVALID^RESOURCE 

972 a. TPM_RT__KEY 

973 b. TPM__RT_AUTH 

974 c. TPM_RT_TRANS 

975 d. TPM_RT_DAA_TPM 

976 4. Locate the correct nonce 

977 a. If resourceType is TPM_RTKEY 

978 i. If TPMJ3TCLEAR_DATA -> contextNonceKey is NULLS 

979 (1) Set TPM_STCLEAR_DATA -> contextNonceKey to the next value from the TPM 

980 RNG 

981 ii. Map Nl to TPM_STCLEAR_DATA -> contextNonceKey 

982 iii. If the key has TPM_KEY_CONTROL_OWNER_EVICT set then return 

983 TPM„OWNER„CONTROL 

984 b. Else 

985 i. If VI -> contextNonceSession is NULLS 

986 (1) Set VI -> contextNonceSession to the next value from the TPM RNG 

987 ii. Map Nl to VI -> contextNonceSession 

988 5. Set Kl to TPM_PERMANENT_DATA -> contextKey 

989 6. Create Rl by putting the sensitive part of the resource pointed to by handle into a 

990 structure. The structure is a TPM manufacturer option. The TPM MUST ensure that ALL 

99 1 sensitive information of the resource is included in Rl . 

992 7. Create CI a TPM_CONTEXT_SENSITIVE structure 

993 a. CI forms the inner encrypted wrapper for the blob. All saved context blobs MUST 

994 include a TPM_CONTEXT__SENSITIVE structure and the TPM_CONTEXT_SENSmVE 

995 structure MUST be encrypted. 

996 b. Set CI -> contextNonce to Nl 

997 c. Set CI -> internalData to Rl 

998 8. Create Bl a TPM_CONTEXTBLOB 

999 a. Set B 1 -> tag to TPM_TAG_CONTEXTBLOB 

000 b. Set Bl -> resourceType to resourceType 

001 c. Set Bl -> handle to handle 

002 d. Set Bl -> integrityDigest to NULL 
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003 e. Set Bl -> label to label 

004 f. Set Bl -> additionalData to information determined by the TPM manufacturer. This 

005 data will help the TPM to reload and reset context. This area MUST NOT hold any data 

006 that is sensitive (symmetric IV are fine, prime factors of an RSA key are not). 

007 i. For OSAP sessions, and DSAP attached to keys, the hash of the entity MUST be 

008 included in additionalData 

009 g. Set Bl -> additionalSize to the size of additionalData 

010 h. Set Bl -> sensitiveSize to the size of CI 

011 i. Set B 1 -> sensitiveData to C 1 

012 9. If resourceType is TPM_RTKEY 

013 a. Set Bl -> contextCount to 0 

014 10. Else 

015 a. If VI -> contextCount > 232-2 then 

016 i. Return with TPM_TOOMANYCONTEXTS 

017 b. Else 

018 i. Increment VI -> contextCount by 1 

019 ii. Validate that the TPM can still manage the new count value 

020 (1) If the distance between the oldest saved context and the contextCount is too 

02 1 large return TPM_CONTEXT_GAP 

022 iii. Find contextlndex such that VI -> contextList[contextIndex] equals 0. If not found 

023 exit with TPM_NOCONTEXTSPACE 

024 iv. Set Vl-> contextList[contextIndex] to VI -> contextCount 

025 v. Set Bl -> contextCount to VI -> contextCount 

026 c. The TPM MUST invalidate all information regarding the resource except for 

027 information needed for reloading 

028 11. Calculate Bl -> integrityDigest the HMAC of Bl using TPM_PERMANENTJ3ATA -> 

029 tpmProof as the secret 

030 12. Create El by encrypting CI using Kl as the key 

031 a. Set Bl -> sensitiveSize to the size of El 

032 b. Set Bl -> sensitiveData to El 

033 13. Set contextSize to the size of B 1 

034 14. Return B 1 in contextBlob 
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035 21.3 TPM LoadContext 

036 



039 
040 



Start of informative comment: 



037 [TPM LoadContext loads into the TPM a previously saved context. The command returns a 

038 v,*r^v; • ; ' " ' ■ 



: 



End of informative comment 



Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 I 


4 


1S 


4 


TPM_C0MM/MD_C0DE 


ordinal 


Command ordinal: TPM_ORD_LoadContext 


4 


4 






TPM_HANDLE 


entityHandle 


The handle the TPM MUST use to locate the entity tied to the OSAP/DSAP 
session 


5 


1 


2S 


1 


BOOL 


keepHandle 


Indication if the handle MUST be preserved 


6 


4 


3S 


4 


UINT32 


contexSize 


The size of the following context blob. 


7 


o 


4S 


o 


TPM_CONTEXT_BLOB 


contextBlob 


The context blob 


Outgoing Parameters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


I 4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_LoadContext 


4 


4 






TPM_HANDLE 


handle 


The handle assigned to the resource after it has been successfully loaded. 



041 



042 

043 

044 

045 
046 

047 
048 

049 

050 

051 
052 



Actions 

1. Map contextBlob to Bl, a TPM_CONTEXT_BLOB structure 

2. Map VI to TPM_STANY_DATA 

3. Create Ml by decrypting Bl -> sensitiveData using TPM_PERMANENT_DATA -> 
contextKey 

4. Create CI and Rl by splitting Ml into a TPM_CONTEXT_SENSITIVE structure and 
internal resource data 

5. Check contextNonce 

a. If Bl -> resourceType is NOT TPM_RT_KEY 

i. If CI -> contextNonce does not equal VI 
TPM_BADCONTEXT 



-> contextNonceSession return 
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053 ii. Validate that the resource pointed to by the context is loaded (i.e. for CSAP the 

054 key referenced is loaded and DSAP connected to the key) return 

055 TPM.RESOURCEMISSING 

056 (1) For OSAP sessions the TPM MUST validate that the incoming pubkey hash 

057 matches the key held by the TPM 

058 (2) For OSAP and DSAP sessions referring to a key, verify that entityHandle 

059 identifies the key linked to this OSAP/DSAP session, if not return 

060 TPMJBAD__HANDLE. 

061 b. Else 

062 i. If CI -> internalData -> parentPCRStatus is FALSE and CI -> internalData -> 

063 is Volatile is FALSE 

064 (1) Ignore CI -> contextNonce 

065 ii. else 

066 (1) If CI -> contextNonce does not equal TPM_STCLEAR_DATA -> 

067 contextNonceKey return TPMJ3ADCONTEXT 

068 6. Validate the structure 

069 a. Set HI to Bl -> integrityDigest 

070 b. Set Bl -> integrityDigest to NULL 

071 c. Copy Ml to Bl -> sensitiveData 

072 d. Create H2 the HMAC of Bl using TPM_PERMANENT_DATA -> tpmProof as the HMAC 

073 key 

074 e. If H2 does equal HI return TPM_BADCONTEXT 

075 7. If keepHandle is TRUE 

076 a. Set handle to Bl -> handle 

077 b. If the TPM is unable to restore the handle the TPM MUST return TPM_BAD_HANDLE 

078 8. Else 

079 a. The TPM SHOULD attempt to restore the handle but if not possible it MAY set the 

080 handle to any valid for Bl -> resourceType 

081 9. If Bl -> resourceType is NOT TPM_RT_KEY 

082 a. Find contextlndex such that VI -> contextList[contextIndex] equals Bl -> 

083 TPM_CONTEXT_BLOB -> contextCount 

084 b. If not found then return TPM_BADCONTEXT 

085 c. Set VI -> contextList[ contextlndex] to 0 

086 10. Process Bl to return the resource back into TPM use 



Level 2 Revision 94 29 March 2006 Draft 



223 

TCG Published 



Copyright © TCG 



TPM Main Part 3 Commands 
Specification Version 1 .2 



087 
088 

089 
090 
091 
092 

093 
094 
095 

096 

097 

098 

099 

100 

101 



22. Eviction 



Start of informative comment: 

The TPM has numerous resources held inside of the TPM that may need eviction. The need 
for eviction occurs when the number or resources in use by the TPM exceed the available 
space. For resources that are hard to reload (i.e. keys tied to PCR values) the outside entity 
should first perform a context save before evicting items. 

In version 1. 1 there were separate commands to evict separate resource types. This new 
command set uses the resource types defined for context saving and creates a generic 
command that will evict all resource types. 

End of informative comment. 



The TPM MUST NOT flush the EK or SRK using this command. 
Version 1.2 deprecates the following commands: 
? TPM Terminate_Handle 



? TPM_EvictKey 
? TPM Reset 
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102 22.1 TPM_FlushSpecific 

103 [Start^fi^ ; ; 

104 iTPM* FlushSpecific flushes from the TPM a specific handle. * 

105 [End of informative comment. . : • : • T ' | 

106 Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_FlushSpecific 


4 


4 






TPM.HANDLE 


handle 


The handle of the item to flush 


| 5 


4 


2S 


4 


TPM RESOURCE TYPE 


resourceType 


The type of resource that is being flushed 


Ou 


tgoing Parameters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_C 0MM AN D 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_FlushSpecific 



108 Description 

109 TPM_FlushSpecific releases the resources associated with the given handle. 

110 Actions 

111 1 . If resourceType is TPM_RT_CONTEXT 

112 a. The handle for a context is not a handle but the "context count" value. The TPM uses 

113 the "context count" value to locate the proper contextList entry and sets Rl to the 

114 contextList entry 

115 b. If R 1 is not a valid saved context return TPM_BAD_PARAMETER 

116 2 . Else if resourceType is TPM_RT_KEY 

1 17 a. Set Rl to the key pointed to by handle 

118 b. Validate that Rl points at valid key 

1 19 c. If Rl -> ownerEvict is TRUE return TPM_KEY_OWNER_CONTROL 

120 3. Else if resourceType is TPM_RT_HASH or TPM„RT_OOUNTER or TPM_RT_DELEGATE 

121 a. Return TPM_INVALID_RESOURCE 

122 4. Else 
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123 a. Set Rl to the resource pointed to by handle 

124 b. Validate that resource type and handle point to a valid allocated resource 

125 5. Invalidate Rl and all internal resources allocated to Rl 

126 a. Resources include authorization sessions 
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127 
128 

129 
130 

131 
132 

133 
134 



23. Timing Ticks 



136 
137 
138 
139 



Start of informative comment: 



}The TPM timing tic^s ^e ^w of timing ticks to actual 

jtime is a protocol that occurs outside of the TPM/ See the design document for details. 

bThe setting of the clock type variable is a one time operation that allows the TPM to be 
(configured to the type of platform that is installed on. 

iThe ability for the TPM to continue to increment the timer ticks across power cycles of the 
jplatform is a TPM and platform manufacturer decision. 



135 End of informative comment. 



23,1 TPM GetTicks 



Start of informative comment: 

This command returns the current tick count of the TPM. 
End of informative comment. 



140 Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_C0 MMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Ordinal: TPM_ORD_GetTicks 


Ou 


tgo 


ng P 


Parameters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Ordinal: TPM.ORD JSetTicks 


4 


32 


3S 


32 


TPM_CURRENT_TICKS 


currentTime 


The current time held in the TPM 1 



141 



142 

143 
144 
145 



Descriptions 

This command returns the current time held in the TPM. It is the responsibility of the 
external system to maintain any relation between this time and a UTC value or local real 
time value. 



146 Actions 

147 1 . Set Tl to the internal TPM_CURRENT_TICKS structure 

148 2. Return Tl as currentTime. 
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149 23.2 TPMJTickStampBlob 

150 Start of informative comment: 

151 TKis command applies a time stamp to the .passed -blob. The TPM makes no representation 

152 regaxdihg the blob merely, that the blob was present at the^TPM at the time indicated. 

153 End of informative comment. 

154 Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0M MAN D_C0DE 


ordinal 


Ordinal, fixed value of TPM_ORD„TickStampBlob 


4 


4 






TPM_KEY_HAN DLE 


keyHandle 


The keyHandle identifier of a loaded key that can perform digital 
signatures. 


5 


20 


2s 


20 


TPM.NONCE 


antiReplay 


Anti replay value to added to signature 


6 


20 


3s 


20 


TPM_DIGEST 


digestToStamp 


The digest to perform the tick stamp on 


7 


4 






TPM_AUTH HANDLE 


authHandle 


The authorization session handle used for keyHandle authorization 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


10 


20 






TPM _AU THDATA 


privAuth 


The authorization session digest that authorizes the use of keyHandle. 
HMAC key: key.usageAuth 
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155 Outgoing Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


it 




n 


C7 

OL. 


1 


2 






TDM TAf2 


tag 


TDIM TAfi DQD Al ITH1 PHMMAMn 
I r (Vl_ I Mo_r\Or_AU I n l_OVJIVIIVlMINU 


2 


4 






1 IIMT^O 
UlrM 1 3c 




I Oldi riuiiiUcr ui uuipui uyitsb iiiuuuniy paidiiioi^c diiu lay 


3 


4 


1S 


4 


1 rM_KboULI 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Ordinal, fixed value of TPM_ORD_TickStampBlob 


4 


32 


3S 


32 


TPM_CURRENT_TICKS 


currentTicks 


The current time according to the TPM 


5 


4 


4S 


4 


UINT32 


sigSize 


The length of the returned digital signature 


6 


o 


5S 


o 


BYTE[] 


sig 


The resulting digital signature. 


7 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


9 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
key.usageAuth 



156 Description 

157 The function performs a digital signature on the hash of digestToStamp and the current tick 

158 count. 

1 59 It is the responsibility of the external system to maintain any relation between tick count 

160 and a UTC value or local real time value. 

161 Actions 

162 3. The TPM validates the AuthData to use the key pointed to by keyHandle. 

163 4. Validate that keyHandle -> keyUsage is TPM_KEY_SI GNING , TPM_KEY_IDENTITY or 

164 TPM_KEY_LEGACY, if not return the error code TPM_IN VALID_KE YU SAGE . 

165 5. Return TPM_INAPPROPRIATE_SIG if the keyHandle -> sigScheme is not SHA- 1 

166 6. If TPM_STCLEAR_DATA -> currentTicks is not properly initialized 

167 a. Initialize the TPM_STCLEAR_DATA -> currentTicks 

168 7. Create Tl, a TPM_CURRENT_TICKS structure. 

169 8. Create HI a TPM_SIGN_INFO structure and set the structure defaults 

170 a. Set HI -> fixed to "TSTF ? 

171 b. Set HI -> replay to antiReplay 

172 c. Create H2 the concatenation of digestToStamp | | Tl 

173 d. Set HI -> dataLen to the length of H2 

174 e. Set HI -> data to H2 

175 9. The TPM computes the signature, sig, using the key referenced by keyHandle, using 

176 SHA-1 of HI as the information to be signed 
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178 24. Transport Sessions 
24.1 TPM_EstablishTransport 



179 
180 

181 

182 
183 

184 
185 
186 

187 
188 



Start of informative comment: 

This establishes the transport session. Depending on the attributes specified for the session 
this may establish shared secrets, encryption keys, and session logs. The session will be in 
use for by the TPM_ExecuteTransport command. 

The only restriction on what can happen inside of a transport session is that there is no 
"nesting" of sessions, ft is permissible to perform operations that delete internal state and 
make the TPM inoperable. 

End of informative comment. . •_ ± 

Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_EstablishTransport 


4 


4 






TPM_KEY_HANDLE 


encHandle 


The handle to the key that encrypted the blob 


5 


o 


2S 


o 


TPM_TRANSPORT_PUBLIC 


transPublic 


The public information describing the transport session 


6 


4 


3S 


4 


UINT32 


secretSize 


The size of the secret Area 


7 


<> 


4S 


o 


BYTEQ 


secret 


The encrypted secret area 


8 


4 






TPMJUJTHHANDLE 


authHandle 


The authorization session handle used for keyHandle authorization 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


9 


20 


3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue us e flag for the authorization session handle j 


11 


20 






TPM_AUTHDATA 


keyAuth 


Authorization. HMAC key: encKey.usageAuth 
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190 Outgoing Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


i 


L. 






TPM TAG 


taa 


TPM TAG RSP AUTH1 COMMAND 


o 

£. 


A 
H 






UINT32 


pa ram Size 


Total number of output bytes including paramSize and tag 


O 


A 


I o 


A 
H 


TPM_RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_EstablishTransport 


4 


4 






TPM_TRANSHANDLE 


transHandle 


The handle for the transport session 


5 


4 


3S 


4 


TPM_MODIFIER_INDICATOR 


locality 


The locality that called this command 


6 


32 


4S 


32 


TPM_CURRENT_TICKS 


currentTicks 


The current tick count 


7 


20 


5S 


20 


TPMJMONCE 


transNonceEven 


The even nonce in use for subsequent execute fransport 


8 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


10 


20 






TPM.AUTHDATA 


resAuth 


Authorization. HMAC key: key.usageAuth 



191 Description 

192 This command establishes the transport sessions shared secret. The encryption of the 

193 shared secret uses the public key of the key loaded in encKey. 

194 Actions 

195 1 . If encHandle is TPM_KH_TRANSPORT then 

196 a. If tag is NOT TPM_TAG_RQU_COMMAND return TPM_BADTAG 

197 b. If transPublic -> transAttributes specifies TPM_TRANSPORT_ENCRYPT return 

1 98 TPM„BAD_SCHEME 

199 c. If secretSize is not 20 return TPM_BAD_PARAM_SIZE 

200 d. Set Al to secret 

201 2. Else 

202 a. encHandle -> keyUsage MUST be TPM_KEY_STORAGE or TPM_KEY_LEGACY return 

203 TPM_INVALID_KEYUSAGE on error 

204 b. If encHandle -> authDataUsage does not equal TPM_AUTH_NEVER and tag is NOT 

205 TPM_TAG_RQU_AUTH LCOMMAND return TPM_AUTHFAIL 

206 c. Using encHandle -> usageAuth validate the AuthData to use the key and the 

207 parameters to the command 

208 d. Create Kl a TPM_TRANSPORT_AUTH structure by decrypting secret using the key 

209 pointed to by encHandle 

210 e. Validate Kl for tag 

211 f. Set Al to Kl -> authData 

212 3. If transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT 
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213 a. If TPMJPERMANENT_FLAGS -> FIPS is true and transPublic -> algid is equal to 

2 14 TPM_ALG_MGF 1 return TPM_INAPPROPRIATE__ENC 

215 b. Check if the transPublic -> algid is supported, if not return 

216 TPM_BAD_KEY_PROPERTY 

217 c. If transPublic -> algid is TPM__ALG__3DES or TPNLALG.AESXXX, check that 

218 transPublic -> encScheme is supported, if not return TPM_INAPPROPRIATE_ENC 

219 d. Perform any initializations necessary for the algorithm 

220 4. Generate transNonceEven from the TPM RNG 

221 5. Create Tl a TPM_TRANSPORT_INTERNAL structure 

222 a. Ensure that the TPM has sufficient internal space to allocate the transport session, 

223 return TPM_RESOURCES on error 

224 b. Assign a Tl -> transHandle value. This value is assigned by the TPM 

225 c. Set Tl -> transDigest to NULL 

226 d. Set Tl -> transPublic to transPublic 

227 e. Set Tl-> transNonceEven to transNonceEven 

228 f. Set Tl -> authData to Al 

229 6. If TPMJ3TANYJDATA -> currentTicks is not properly initialized 

230 a. Initialize the TPM_STANY_DATA -> currentTicks 

23 1 7. Set currentTicks to TPM_STANY_DATA -> currentTicks 

232 8. If Tl -> transPublic -> transAttributes has TPM_TRANSPORT__LOG set then 

233 a. Create LI a TPM_TRANSPORT_LOG_IN structure 

234 i. Set LI -> parameters to SHA-1 (ordinal | | transPublic | | secretSize | | secret) 

235 ii. Set LI -> pubKeyHash to NULL 

236 iii. SetTl -> transDigest to SHA-1 (Tl -> transDigest | | LI) 

237 b. Create L2 a TPM_TRANSPORT_LOG_OUT structure 

238 i. Set L2 -> parameters to SHA-1 (returnCode | | ordinal | | locality | | currentTicks 

239 || transNonceEven) 

240 ii. Set L2 -> locality to the locality of this command 

241 iii. Set L2 -> currentTicks to currentTicks, this MUST be the same value that is 

242 returned in the currentTicks parameter 

243 iv. Set Tl -> transDigest to SHA-1 (Tl -> transDigest | | L2) 

244 9. If Tl -> transPublic -> transAttributes has TPM_TRANSPORT_EXCLUSIVE then set 

245 TPM_STANY_FLAGS -> transportExclusive to TRUE 

246 a. Execution of any command other than TPM_ExecuteTransport or 

247 TPM_ReleaseTransportSigned targeting this transport session will cause the abnormal 

248 invalidation of this transport session transHandle 
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249 b. The TPM gives no indication, other than invalidation of transHandle, that the session 

250 is terminated 

251 10. Return Tl -> transHandle as transHandle 
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252 

253 

254 
255 

256 
257 
258 

259 
260 
261 

262 
263 
264 

265 
266 



24.2 TPM_ExecuteTransport 

Start of informative comment: " " ~~ "~~ .' ' . ' ; ~"] 

' " ' r ' - ' ^ ; :->. ' v^\ v ; : ; - : ■ : ■ . ^ - : ; : s . ■ : ■ j 

Delivers a wrapped TPM command to the TPM where the TPM unwraps the command and 
then executes the command. ; I 

TPM_ExecuteTransport uses the same rolling nonce paradigm as other authorized TPM 
commands. The even nonces start in TPM_EstablishTransport and change on each 
invocation of TPM_ExecuteTransport. 

The only restriction on what . can happen inside of a transport session is that there is no 
"nesting" of sessions. It is permissible to perform operations that delete internal state and 
make the TPM inoperable. 

Because, in general, key handles are not logged, a digest of the corresponding public key is 
logged. In cases where the key handle is logged (e.g. TPM_OwnerReadInternalPub) , the 
Ipublic key is also logged. 

[End of informative comment. , : ■ . ,; ; . : : i : , r :^ ■ ■ 



Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ExecuteTransport 


4 


4 


2S 


4 


UINT32 


wrappedCmdSize 


Size of the wrapped command 


5 


o 


3S 


<> 


BYTEO 


wrappedCmd 


The wrapped command 


6 


4 






TPM.TRANSHANDLE 


transHandle 


The transport session handle 






2H1 


20 


TPM„N0NCE 


transLastNonceEven 


Even nonce previously generated by TPM 


7 


20 


3H1 


20 


TPM.NONCE 


transNonceOdd 


Nonce generated by caller 


8 


1 


4H1 


1 


BOOL 


continueTransSession 


The continue use flag for the authorization session handle 


9 


20 






TPM.AUTHDATA 


transAuth 


HMAC for transHandle key: transHandle -> authData 
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268 Outgoing Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the ExecuteTransport command. This does not reflect 
the status of wrapped command. 






2S 


4 


TPM COMMAND CODE 

1 1 IVI w WIVI 1 VlrAl 1U 


ordinal 


Command ordinal! TPM ORD ExecuteTransport 


4 


8 


3S 


8 


UINT64 


currentTicks 


The current ticks when the command was executed 


5 


4 


4S 


4 


TPM„MODIFIER_INDICATOR 


locality 


The locality that called this command 


6 


4 


5S 


4 


UINT32 


wrappedRspSize 


Size of the wrapped response 


7 


<> 


6S 


<> 


BYTEQ 


wrappedRsp 


The wrapped response 


8 


20 


2H1 


20 


TPMJJONCE 


transNonceEven 


Even nonce newly generated by TPM 






3H1 


20 


TPM.NONCE 


transNonceOdd 


Nonce generated by caller 


9 


1 


4H1 


1 


BOOL 


continueTransSession 


The continue use flag for the session 


10 


20 






TPM_AUTHDATA 


transAuth 


HMAC for transHandle key: transHandle -> authData 



269 Description 

270 1. This command executes a TPM command using the transport session. 

271 2. Prior to execution of the wrapped command (action 11 below) failure of the transport 

272 session MUST have no effect on the resources referenced by the wrapped command. The 

273 exception is when the TPM goes into failure mode and return FAILED_SELFTEST for all 

274 subsequent commands. 

275 3. After execution of the wrapped command, failure of the transport session MUST have an 

276 effect on the wrapped command resources. The reason for this is that the transport 

277 session will be returning an error code and not reporting any session nonces. The entire 

278 wrapped command response is lost so nonces, handles and such are lost to the caller. 

279 4. Execution of the wrapped command (action 1 1) SHOULD have no effect on the transport 

280 session. 

281 a. The wrapped command SHALL use no resources of the transport session, this 

282 includes authorization sessions 

283 b. If the wrapped command execution returns an error (action 11 below) then the 

284 sessions for TPM_ExecuteTransport still operate properly. 

285 c. The exception to this is when the wrapped command causes the TPM to go into 

286 failure mode and return TPM^FAILSELFTEST for all subsequent commands 

287 5. Field layout 

288 a. Command representation 

289 b ********************************************************* 

290 c. TAGet | LENet | ORDet | wrappedCmdSize | wrappedCmd | AUTHet 
2<j i ^ ******************************** 
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292 e. wrappedCmd looks like the following 

293 f ******************************************** 

294 g. TAGw | LENw | ORDw | HANDLESw(o) | DATAw | AUTHlw (o) | AUTH2w (o) 

295 Y\ **************************************************************************************** 

296 i. | LEN1 | 

297 j. | El | (encrypted) 

298 k. | CI | (decrypted) 

299 1. Response representation 

3QQ *************************************************** *********************** 

301 n. TAGet | LENet | RCet | wrappedRspSize | wrappedRsp | AUTHet 

302 o ************************************************************************** 

303 p. wrappedRsp looks like the following 

304 q ************************************************************************************* 

305 r. TAGw | LENw | RCw | HANDLESw(o) | DATAw | AUTHlw (o) | AUTH2w (o) 

306 s ************************************************************************************* 

307 t. I LEN2 | 

308 u. | <r C2 -» | 

309 v. | S2 | (decrypted) 

310 w. | E2 | (encrypted) 

311 x. The only parameter that is possibly encrypted is DATAw 

312 6. Additional DATAw comments 

313 a. For TPM_FlushSpecific and TPM_SaveContext 

314 i. The DATAw part of these commands does not include the handle. 

315 (1) It is understood that encrypting the resourceType prevents a determination of 

316 the handle type . 

317 ii. If the resourceType is TPM_RT_KEY, then the public key SHOULD be logged. 

318 b. For TPM_DAA_Join and TPM_DAA_Sign 

319 i. The DATAw part of these commands does not include the handle 

320 c. For TPM_LoadKey2 

321 i. The outgoing handle is not part of the outgoing DATAw and is not encrypted or 

322 logged by the outgoing transport. 

323 d. For TPM_LoadKey 

324 i. The outgoing handle is part of the outgoing DATAw and is encrypted. 

325 e. For TPM_LoadContext 
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326 i. The outgoing handle is not part of the outgoing DATAw and is not encrypted or 

327 logged by the outgoing transport. 

328 (1) It is understood that encrypting the contextBlob prevents a determination of 

329 the handle type. 

330 7. TPM_ExecuteTransport returns an implementation defined result when the wrapped 

331 command would cause termination of the transport session. Implementation defined 

332 possibilities include but are not limited to: the wrapped command may execute, 

333 completely, partially, or not at all, the transport session may or not be terminated, 

334 continueTransSession may not be processed or returned correctly, and an error may or 

335 may not be returned. The wrapped commands include: 

336 a. TPM_FlushSpecific, TPMJSaveContext targeting the transport session 

337 b. TPM^OwnerClear, TPM_ForceClear, TPM_RevokeTrust 

338 Actions 

339 1. Using transHandle locate the TPMJTRANSPORTJNTERNAL structure Tl 

340 2. Parse wrappedCmd 

341 a. Set TAGw, LENw, and ORDw to the parameters from wrappedCmd 

342 b. Set El to DATAw 

343 i. This pointer is ordinal dependent and requires the execute transport command to 

344 parse wrappedCmd 

345 c. Set LEN1 to the length of DATAw 

346 i. DATAw always ends at the start of AUTH lw if AUTH lw is present 

347 3. If LEN1 is less that 0, or if ORDw is unknown, unimplemented, or cannot be determined 

348 a. Return TPMJ3AD_PARAMETER 

349 4. If Tl -> transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT set then 

350 a. If Tl -> transPublic -> algid is TPM_ALG JMGF 1 

351 i. Using the MGF1 function, create string Gl of length LEN1. The inputs to the 

352 MGF1 are transLastNonceEven, transNonceOdd, "in", and Tl -> authData. These 

353 four values concatenated together form the Z value that is the seed for the MGF1. 

354 ii. Create CI by performing an XOR of Gl and wrappedCmd starting at El. 

355 b. If the encryption algorithm requires an IV calculate the IV values 

356 i. Using the MGF1 function, create string IV1 with a length set by the block size of 

357 the encryption algorithm. The inputs to the MGF1 are transLastNonceEven, 

358 transNonceOdd, and "in". These three values concatenated together form the Z 

359 value that is the seed for the MGF1. Note that any terminating characters within 

360 the string "in" are ignored, so a total of 42 bytes are hashed. 

361 ii. Blocksize for TPM_AL G_DES is 8 

362 iii. Blocksize for TPM_ALG_AESxxx is 16 

363 iv. The symmetric key is taken from the first bytes of Tl -> authData. 
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364 v. Decrypt DATAw and replace the DATAw area of El creating CI 

365 c. TPM_OSAP, TPM_OIAP have no parameters encrypted 

366 d. TPM_DSAP has special rules for parameter encryption 

367 5. Else 

368 a. Set CI to the DATAw area El of wrappedCmd 

369 6. Create HI the SHA-1 of (ORDw | | CI). 

370 a. C 1 MUST point at the decrypted DATAw area of E 1 

371 b. The TPM MAY use this calculation for both execute transport authorization, 

372 authorization of the wrapped command and transport log creation 

373 7. Validate the incoming transport session authorization 

374 a. Set inParamDigest to SHA- 1 (ORDet | | wrappedCmdSize | | HI) 

375 b. Calculate the HMAC of (inParamDigest | | transLastNonceEven | | transNonceOdd | | 

376 continueTransSession) using Tl -> authData as the HMAC key 

377 c. Validate transAuth, on errors return TPM_AUTHFAIL 

378 8. If TPM_ExecuteTransport requires auditing 

379 a. Create TPM_AUDIT_EVENTJN using HI as the input parameter digest and update 

380 auditDigest 

38 1 b. On any error return TPM_AUDITFAIL_UNSUCCESSFUL 

382 9. If ORDw is from the list of following commands return TPM_N 0_WRAP_TRAN SPO RT 

383 a. TPM_EstablishTransport 

384 b. TPM_ExecuteTransport 

385 c. TPM_ReleaseTransportSigned 

386 lO.If Tl -> transPublic -> transAttributes has TPM_TRANSPORT_LOG set then 

387 a. Create L2 a TPM_TRANSPORT_LOG_IN structure 

388 b. Set L2 -> parameters to HI 

389 c. If ORDw is a command with no key handles 

390 i. Set L2 -> pubKeyHash to NULL 

39 1 d. If ORDw is a command with one key handle 

392 i. Create K2 the hash of the TPM_STORE_PUBKEY structure of the key pointed to 

393 by the key handle. 

394 ii. Set L2 -> pubKeyHash to SHA-1 (K2) 

395 e. If ORDw is a command with two key handles 

396 i. Create K2 the hash of the TPM_STORE_PUBKEY structure of the key pointed to 

397 by the first key handle. 

398 ii. Create K3 the hash of the TPM_STOREJPUBKEY structure of the key pointed to 

399 by the second key handle. 
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400 iii. Set L2 -> pubKeyHash to SHA-1 (K2 | | K3) 

401 f. Set Tl -> transDigest to the SHA-1 (Tl -> transDigest | | L2) 

402 g. If ORDw is a command with key handles, and the key is not loaded, return 

403 TPM JNVALID_KEYHANDLE . 

404 1 1 . Send the wrapped command to the normal TPM command parser, the output is C2 and 

405 the return code is RCw 

406 a. If ORDw is a command that is audited then the TPM MUST perform the input and 

407 output audit of the command as part of this action. 

408 b. The TPM MAY use H 1 as the data value in the authorization and audit calculations 

409 during the execution of C 1 

410 12. Set CT1 to TPM_STANY_JDATA -> currentTicks -> currentTicks and return CT1 in the 

411 currentTicks output parameter 

412 13. Calculate S2 the pointer to the DATAw area of C2 

413 a. Calculate LEN2 the length of S2 according to the same rules that calculated LEN1 

414 14. Create H2 the SHA-1 of (RCw | | ORDw | | S2) 

415 a. The TPM MAY use this calculation for execute transport authorization and transport 

416 log out creation 

417 15. Calculate the outgoing transport session authorization 

418 a. Create the new transNonceEven for the output of the command 

419 b. Set outParamDigest to SHA-1 (RCet [ | ORDet | | TPM_STANY_DATA -> currentTicks 

420 -> currentTicks | | locality | | wrappedRspSize | | H2) 

421 c. Calculate transAuth, the HMAC of (outParamDigest | | transNonceEven | | 

422 transNonceOdd | | continueTransSession) using Tl -> authData as the HMAC key 

423 16. If Tl -> transPublic -> transAttributes has TPM_TRANSPORT_LOG set then 

424 a. Create L3 a TPM_TRANSPORT_LOG_OUT structure 

425 b. Set L3 -> parameters to H2 

426 c. Set L3 -> currentTicks to TPM_STANY_DATA -> currentTicks 

427 d. Set L3 -> locality to TPM_STANYJDATA -> localityModifier 

428 e. SetTl -> transDigest to the SHA-1 (Tl -> transDigest | | L3) 

429 17. If Tl -> transPublic -> transAttributes has TPM_TRANSPORT_ENCRYPT set then 

430 a. If Tl -> transPublic -> Algid is TPM__ALG_MGF 1 

431 i. Using the MGF1 function, create string G2 of length LEN2. The inputs to the 

432 MGF1 are transNonceEven, transNonceOdd, "out", and Tl -> authData. These 

433 four values concatenated together form the Z value that is the seed for the MGF1. 

434 ii. Create E2 by performing an XOR of G2 and C2 starting at S2. 

435 b. Else 
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436 i. Create IV2 using the same algorithm as IV1 with the input values 

437 transNonceEven, transNonceOdd, and "out". Note that any terminating 

438 characters within the string "out" are ignored, so a total of 43 bytes sire hashed. 

439 ii. Create E2 by encrypting C2 starting at S2 using IV2 

440 18. Else 

441 a. Set E2 to the DATAw area S2 of wrappedRsp 

442 19. If continueTransSession is FALSE 

443 a. Invalidate all session data related to transHandle 

444 20. If TPM_ExecuteTranport requires auditing 

445 a. Create TPM_AUDIT_EVENT_OUT using H2 for the parameters and update the 

446 auditDigest 

447 b. On any errors return TPM_AUDITFAIL_SUCCESSFUL or 

448 TPM_AUDITFAIL_UNSUCCESSFUL depending on RCw 

449 2 1. Return C2 but with S2 replaced by E2 in the wrappedRsp parameter 
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450 

451 

452 
453 
454 

455 
456 

457 
458 
459 
460 

461 
462 
463 

464 
465 



24.3 TPMJReleaseTransportSigned 



Start of informative comment: 

This command completes the transport session. If logging for this session is turned on, then 
this command returns a hash of all operations performed during the session along with a 
digital signature of the hash. 

This command serves no purpose if logging is turned off, and results in an error ifj 
attempted. j 

This command uses two authorization sessions, the key that will sign the log and the 
authorization from the session. Having the session authorization proves that the requestor 
that is signing the log is the owner of the session. If this restriction is not put in then an 
attacker can close the log and sign using their own key. 

The hash of the session log includes the information associated with the input phase of 
execution of the TPMJReleaseTransportSigned command. It cannot include the output 
phase information. 

End of informative comment* 



Incoming Parameters and Sizes 



PARAM 


HMAC j 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH2_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_ReleaseTransportSigned 


4 


4 






TPM_KEY_HANDLE 


key Handle 


Handle of a loaded key that will perform the signing 


5 


20 


2S 


20 


TPM.NONCE 


antiReplay 


Value provided by caller for anti -replay protection 


6 


4 






TPM.AUTHHANDLE 


authHandie 


The authorization session to use key 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3H1 


20 


TPM.NONCE 


authNonceOdd 


Nonce generated by system associated with authHandie 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


9 


20 






TPIVLAUTHDATA 


keyAuth 


The authorization session digest that authorizes the use of key. HMAC 
key: key -> usageAuth 


10 


4 






TPM_TRANSHANDLE 


transHandle 


The transport session handle 






2H2 


20 


TPMJMONCE 


trans LastNonceEven 


Even nonce in use by execute Transport 


11 


20 


3H2 


20 


TPMJMONCE 


trans NonceOdd 


Nonce supplied by caller for transport session 


12 


1 


4H2 


1 


BOOL 


continueTrans Session 


The continue use flag for the authorization session handle 


13 


20 






TPM_AUTHDATA 


transAuth 


HMAC for transport session key: transHandle -> authData 
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466 Outgoing Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


u 
ft 




■u 
It 




1 


2 






TPM_TAG 


tag 


TrM_TAG_R5P_AUTnZ_COIvllvlAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_Re!easeTransportSigned 


4 


4 


3S 


4 


TPM_MODIFIER_INDICATOR 


locality 


The locality that called this command 


5 


32 


4S 


32 


TPM_CURRENTJICKS 


currentTicks 


The current ticks when the command executed 


6 


4 


5S 


4 


U1NT32 


signSize 


The size of the signature area 


7 


o 


6S 


<> 


BYTEQ 


signature 


The signature of the digest 


8 


20 


2H1 


20 


TPMJMONCE 


authNonceEven 


Even nonce newly generated by TPM 






3H1 


20 


TPM.NONCE 


authNonceOdd 


Nonce generated by caller 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the session 


10 


20 






TPM.AUTHDATA 


keyAuth 


HMAC: key -> usageAuth 


11 


20 


2H2 


20 


TPM.NONCE 


transNonceEven 


Even nonce newly generated by TPM 






3H2 


20 


TPMJMONCE 


transNonceOdd 


Nonce generated by caller 


12 


1 


4H2 


1 


BOOL 


continueTransSession 


The continue use flag for the session 


13 


20 






TPM.AUTHDATA 


transAuth 


HMAC: transHandle -> authData 



467 
468 

469 

470 

471 

472 
473 

474 
475 

476 

477 

478 

479 

480 

481 

482 

483 



Description 

This command releases a transport session and signs the transport log 
Actions 

1. Using transHandle locate the TPM_TRANSPORT_INTERNAL structure Tl 

2. Return TPM_INAPPROPRIATE_SIG if the key -> sigScheme is not SHA- 1 

Using key -> authData validate the command and parameters, on error return 
TPM AUTHFAIL 



3. 
4. 



Using transHandle -> authData validate the command and parameters, on error return 
TPM AUTH2FAIL 



5. If Tl -> transAttributes has TPM_TRANSPORT_LOG set then 

a. Create Al a TPM_TRANSPORT_LOG_OUT structure 

b. Set Al -> parameters to the SHA- 1 (ordinal | | antiReplay) 

c. Set Al -> currentTicks to TPM_STANY_DATA -> currentTicks 

d. Set Al -> locality to the locality modifier for this command 

e. Set Tl -> transDigest to SHA-1 (Tl -> transDigest | | Al) 

6. Else 

a. Return TPM_BAD_MODE 
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484 7. Create HI a TPM_SIGN_INFO structure and set the structure defaults 

485 a. Set HI -> fixed to "TRAN" 

486 b. Set HI -> replay to antiReplay 

487 c. Set HI -> data to Tl -> transDigest 

488 d. Sign SHA- 1 hash of HI using the key pointed to by key 

489 8. Invalidate all session data related to Tl 

490 9. Set continueTransSession to FALSE 

49 1 1 0. Return TPM.SUCCESS 
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492 25. Monotonic Counter 

493 25.1 TPMCreateCounter 

494 



495 
496 
497 
498 
499 

500 
501 



Start of informative comment: 

This command creates the counter but does not select the counter; Counter creation 
assigns an AuthData value to the counter and sets the counters original start value. The 
original start value is the current internal base value plus one. Setting the new counter to 
the internal base avoids attacks on the system that are attempting to use old counter 
lvalues. 

End of informative comment. 



Incoming Parameters and Sizes 



PARAM 1 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag ; 


TPM_TAG_RQU_AUTH 1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes incl. paramSize and tag 


3 


4 


1S 


4 


TPNLCOMMANDCODE 


ordinal 


Command ordinal: TPM_ORD_CreateCounter 


4 


20 


2S 


20 


TPM.ENCAUTH 


encAuth 


The encrypted auth data for the new counter 


5 


4 


3s 


4 


BYTE 


label 


Label to associate with counter 


7 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication. 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


Ignored 


10 


20 




20 


TPM.AUTHDATA 


ownerAuth 


Authorization ow nerAuth. 
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502 Outgoing Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TDM DCCI II T 


returnCodG 


i ne return cooe ot ine operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CreateCounter 


4 


4 


3s 


4 


TPM_C0UNT_ID 


countID 


The handle for the counter 


5 


10 


4S 


10 


TPM_C 0U NTER_VALU E 


counterValue 


The starting counter value 


6 


20 


2H1 


20 


TPM.NONCE 


nonce Even 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Fixed value of FALSE 


8 


20 




20 


TPMJVUTHDATA 


resAuth 


Authorization. HMAC key: ownerAuth. 



503 Description 

504 This command creates a new monotonic counter. The TPM MUST support a minimum of 4 

505 concurrent counters. 

506 Actions 

507 The TPM SHALL do the following: 

508 1 . Using the authHandle field, validate the owner's AuthData to execute the command and 

509 all of the incoming parameters. The authorization session MUST be OSAP or DSAP 

510 2. Ignore continueAuthSession on input and set continueAuthSession to FALSE on output 

511 3. If authHandle indicates XOR encryption for the AuthData secrets 

512 a. Create XI the SHA-1 of the concatenation of (authHandle -> sharedSecret | | 

513 authLastNonceEven) 

514 b. Create al by XOR XI and encAuth 

515 4. Else 

516 a. Create al by decrypting encAuth using the algorithm indicated in the OSAP session 

517 b. Key is from authHandle -> sharedSecret 

518 c. IV is SHA-1 of (authLastNonceEven | | nonceOdd) 

519 5. Validate that there is sufficient internal space in the TPM to create a new counter. If 

520 there is insufficient space, the command returns an error. 

521 a. The TPM MUST provide storage for al, TPM_COUNTER_VALUE, countID, and any 

522 other internal data the TPM needs to associate with the counter 

523 6. Increment the max counter value 

524 7. Set the counter to the max counter value 

525 8. Set the counter label to label 
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526 9. Create a countID 
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527 25.2 TPMJncrementCounter 

528 Start of informative comment: 

529 iThis authorized command increments the indicated counter by one. Once a counter has 

530 [been incremented then all subsequent increments must be for the same handle until a 

53 1 successful TPM_Startup(ST_CLEAR) is executed. 

< t- , - , <- • , (■ 

532 The order for checking validation of the command parameters when no counter is active, 

533 keeps an attacker from creating a denial-cf-service attack. 

534 End of informative comme nt. w". " r < . , ' ; . , : • ■ . : -k 

535 Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORDJncrementCounter 


4 


4 


2s 


4 


TPM_COUNT_ID 


countlD 


The handle of a valid counter 


5 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for counter authorization 






2H1 


20 


TPM_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


8 


20 






TPM.AUTHDATA 


counterAuth 


The authorization session digest that authorizes the use of countlD. 
HMAC key: countlD -> authData 


Outgoing Parameters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPMJDRDJncrementCounter 


5 


10 


3S 


10 


TPM_COUNTER_VALUE 


count 


The counter value 


6 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
countlD -> authData 



537 Description 

538 This function increments the counter by 1 . 

539 The TPM MAY implement increment throttling to avoid burn problems 



248 



TCG Published 



Level 2 Revision 94 29 March 2006 Draft 



TPM Main Part 3 Commands TCG © Copyright 

Specification Version 1 .2 

540 Actions 

541 1. If TPM_STCLEAR_DATA -> countID is NULL 

542 a. Validate that countID is a valid counter, return TPMJ3AD_COUNTER on mismatch 

543 b. Validate the command parameters using counterAuth 

544 c. Set TPM_STCLEAR_DATA -> countID to countID 

545 2. else 

546 a. If TPM_STCLEAR_DATA -> countID does not equal countID 

547 i. Return TPM_BAD_COUNTER 

548 b. Validate the command parameters using counterAuth 

549 3. Increments the counter by 1 

550 4. Return new count value in count 
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551 25.3 TPM ReadCounter 




555 Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes incl. paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReadCounter 


4 


4 


2S 


4 


TPM_COUNTJD 


countID 


ID value of the counter 


Outgoing Parameters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReadCounter 


4 


10 


3S 


4 


TPM_COUNTER_VALUE 


count 


The counter value 



557 Description 

558 This returns the current value for the counter indicated. The counter MAY be any valid 

559 counter. 

560 Actions 

561 1. Validate that countID points to a valid counter. Return TPM_BAD_COUNTER on error. 

562 2. Return count 
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563 25.4 TPM_ReleaseCounter 

564 

565 
566 

567 

568 Incoming Parameters and Sizes 



Start of informative comment: 

fl lit! ' k \ ' " * \ % " it H ' ; '*",." H ' ,\ ' 
This command releases a counter such that no r 


eads or increments 


of the indicated counter 


will succeed. - " ■ ■ ■ • : . / 
End of informative comment* 







PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReleaseCounter 


4 


4 


2s 


4 


TPM_COUNTJD 


countID 


ID value of the counter 


5 


4 






TPM_AUTH HANDLE 


authHandle 


The authorization session handle used for countID authorization 






2H1 


20 


TPMJMONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 1 


Nonce associated with countID 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Ignored 


8 


20 






TPM_AUTHDATA 


counterAuth ; 


The authorization session digest that authorizes the use of countID. 
HMAC key: countID -> authData I 


Ou 


tgoing Parameters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH 1 _COMMAND 


; 2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReleaseCounter 


4 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






THvWUJTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
countID -> authData 



569 



570 

571 

572 
573 

574 
575 

576 



Actions 

The TPM uses countID to locate a valid counter. 

1. Authenticate the command and the parameters using the AuthData pointed to by 
countID. Return TPM_AUTHFAIL on error 

2. The TPM invalidates all internal information regarding the counter. This includes 
releasing countID such that any subsequent attempts to use countID will fail. 

3. The TPM invalidates sessions 
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577 a. MUST invalidate all OSAP sessions associated with the counter 

578 b. MAY invalidate any other session 

579 4. If TPM_STCLEAR_D ATA -> countID equals countID, 

580 a. Set TPM_STCLEAR_DATA -> countID to an illegal value (not the NULL value) 
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581 

582 

583 
584 

585 
586 



25.5 TPM ReleaseCounterOwner 



Start of informative comment 



^" " ^ A 1 / + A ' + f +V> ' A' + A t 

This command releases a counter such that no reads or increments of the indicated counter 



will succeed. 

End of informative comment . 



Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReleaseCounterOwner 


4 


4 


2s 


4 


TPM_COUNTJD 


countID 


ID value of the counter 


5 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication 






2H1 


20 


TPM_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


8 


20 






TPM.AUTHDATA 


ownerAuth 


The authorization session digest that authorizes the inputs. HMAC key: 
ownerAuth 


Outgoing Parameters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description | 


# 


SZ 


# 


SZ 




1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


t 3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReleaseCounterOwner 


4 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth 



587 



588 
589 

590 

591 

592 
593 



Description 

This invalidates all information regarding a counter. 
Actions 

1 . Validate that ownerAuth properly authorizes the command and parameters 

2. The TPM uses countID to locate a valid counter. Return TPM_BAD_COUNTER if not 
found. 
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594 3. The TPM invalidates all internal information regarding the counter. This includes 

595 releasing countID such that any subsequent attempts to use countID will fail. 

596 4. The TPM invalidates sessions 

597 a. MUST invalidate all OSAP sessions associated with the counter 

598 b. MAY invalidate any other session 

599 5. If TPM_STCLEAR_DATA -> countID equals countID, 

600 a. Set TPM_STCLEAR_DATA -> countID to an illegal value (not the NULL value) 



254 



TCG Published 



Level 2 Revision 94 29 March 2006 Draft 



TPM Main Part 3 Commands 
Specification Version 1 .2 



TCG © Copyright 



601 26. DAA commands 

602 26.1 TPM DAA Join 



606 
607 



603 Start of infoimative comment: 



604 |TPM DAA Join is the process that establishes the DAA parameters in the TPM for a specific 

605 IDAA issuing authority. 



! End of informative comment. 

? i . — — ; - — — . 



Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_AUTH 1 _C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes incl. paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPMJDRD_DAA_Join. 


4 


4 






TPM.HANDLE 


handle 


Session handle 


5 


1 


2S 


1 


BYTE 


stage 


Processing stage of join 


6 


4 


3S 


4 


UINT32 


inputSizeO 


Size of inputDataO for this stage of JOIN 


7 


o 


4S 


<> 


BYTEQ 


inputDataO 


Data to be used by this capability 


8 


4 


5S 


4 


UINT32 


inputSizel 


Size of inputDatal for this stage of JOIN 


9 


<> 


6S 


<> 


BYTEQ 


inputDatal 


Data to be used by this capability 


10 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs ' 


11 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


12 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


13 


20 




20 


TPM.AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner. HMAC key: 
ownerAuth. 



Level 2 Revision 94 29 March 2006 Draft 



255 

TCG Published 



Copyright © TCG 



TPM Main Part 3 Commands 
Specification Version 1 .2 



608 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes ind. paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_DAA_Join. 


4 


4 


3S 


4 


UINT32 


outputSize 


Size of outputData 


5 


<> 


4S 


<> 


BYTEQ 


outputData 


Data produced by this capability 


6 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 




20 


TPM_AUTHDATA 


resAuth 


Authorization HMAC key: ownerAuth. 
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609 

610 
611 



Description 

This table summaries the input, output and saved data that is associated with each stage of 
processing. 

Stage Input DataO Input Datal Operation Output Data Scratchpad 

0 DAA_count NULL initialise Session Handle NULL 
(used as # repetitions of stage 1) 

1 nO signatureValue rekeying NULL nO 

2 DAAJssuerSettings signatureValue issuer settings NULL NULL 

3 DAAcount NULL DAA_join_uo, NULL NULL 



4 DAA_generic_RO 

5 DAA_generic_R1 

6 DAA_generic_SO 

7 DAA_generic_S1 

8 NE 

9 DAA_generic_RO 

10 DAA_generic_R1 

11 DAA_generic_SO 

12 DAA_generic_S1 

13 DAA_generic_gamma 

14 DAA_generic_gamma 

15 DAA_generic_gamma 

16 d 

17 NULL 

18 NULL 

19 NULL 

20 NULL 

21 NULL 

22 u2 

23 u3 

24 NULL 



DAA_generic_n 
DAA_generic_n 
DAA_generic_n 
DAA_generic_n 
NULL 

DAA_generic_n 
DAA_generic_n 
DAA_generic_n 
DAA_generic_ji 
w 

NULL 
NULL 

NULL 
NULL 
NULL 
NULL 

NULL 

NULL 
NULL 

NULL 
NULL 



rekeying 

issuer settings 

DM join_uo, 
DAA_join_u1 

P1=R0 A f0mod n 

P2 = P1*(R1 A f1)modn 

P3 = P2*(S0 A u0)modn 

U = P3*(S1 A u1) mod n 

U2 

P1=R0 A r0 mod n 

P2 = P1*(R1 A r1)modn 

P3 = P2*(S0 A r2) mod n 

P4 = P3*(S1 A r3)mod n 

w1 = w A q mod gamma 

E = w A f mod gamma 

r = rO + (2 A powerO)*r1 mod q, 
E1 = w A r mod gamma 

c = hash(d || NT) 

sO = rO + c*K) 

s1 = r1 + c*f1 

s2 = r2 + c # uO 
mod 2 A power1 

s12 = r2 + c*uO 

» powerl 

s3 = r3 + c*u1 +s12 

vO = u2 + uO mod 2 A power1 
v10 = u2 + uO » powerl 

V1 = u3 + u1 + v10 

enc(DAA_tpmSpecific) 



NULL 
NULL 
NULL 
U 

U2 

NULL 

NULL 

NULL 

P4 

NULL 

E 

E1 

nt 
sO 
s1 
s2 



s3 

enc(vO) 



enc(v1) 

enc(DAAJpmSpecific) 



P1 
P2 
P3 

NULL 

NULL 

P1 

P2 

P3 

NULL 

w 

w 

NULL 

NULL 
NULL 
NULL 
NULL 

S12 

NULL 
v10 

NULL 
NULL 



612 
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613 Actions 

614 A Trusted Platform Module that receives a valid TPM_DAA_Join command SHALL: 

615 1 . Use owner Auth to verify that the Owner authorized all TPM_DAA_Join input parameters. 

616 2. Any error return results in the TPM invalidating all resources associated with the join 

617 3. Constant values of 0 or 1 are 1 byte integers, stages affected are 

618 a. 4(j), 5(j), 14(f), 17(e) 

619 4. Representation of the strings "r0" to "r4" are 2-byte ASCII encodings, stages affected are 

620 a. 9(i), 10(h), 11(h), 12(h), 15(f), 15(g), 17(d), 18(d), 19(d), 20(d), 21(d) 

621 Stages 

622 0. Ifstage==0 

623 a. Determine that sufficient resources are available to perform a TPM_DAA_J oin. 

624 i. The TPM MUST support sufficient resources to perform one (1) TPM_D AA_J oin / 

625 TPMJDAA_Sign. The TPM MAY support additional TPM_D AA_J oin / 

626 TPM_DAA_Sign sessions. 

627 ii The TPM may share internal resources between the DAA operations and other 

628 variable resource requirements: 

629 iii. If there are insufficient resources within the stored key pool (and one or more 

630 keys need to be removed to permit the DAA operation to execute) return 

631 TPM.NOSPACE 

632 iv. If there are insufficient resources within the stored session pool (and one or 

633 more authorization or transport sessions need to be removed to permit the 

634 DAA operation to execute), return TPM_RESOURCES. 

635 b. Set all fields in DAAJssuerSettings = NULL 

636 c. set all fields in DAA_tpmSpecific = NULL 

637 d. set all fields in DAA__session = NULL 

638 e. Set all fields in DAA_JoinSession = NULL 

639 f. Verify that sizeOf(inputData0) == sizeOf(DAA_tpmSpecific -> DAA_count) and return 

640 error TPM_DAA_INPUTJDATA0 on mismatch 

641 g. Verify that inputDataO > 0, and return error TPM_DAA_INPUT_DATA0 on mismatch 

642 h. Set DAA_tpmSpecific -> DAA_count = inputDataO 

643 i. set DAA_session -> DAA_digestContext = SH A- 1 (DAA_tpmSpecific | | 

644 DAAJoinSession)) 

645 j. set DAA_session -> DAA_stage = 1 

646 k. Assign session handle for TPM_D AA_J oin 

647 1. set outputData = new session handle 

648 m. return TPMJ3UCCESS 
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649 1. Ifstage==l 

650 a. Verify that DAA_session ->DAA_stage==l. Return TPM_DAA_STAGE and flush handle 

651 on mismatch 

652 b. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific | | 

653 DAAJoinSession) and return TPMJDAAJTPM_SETTINGS on mismatch 

654 c. Verify that sizeOf(inputData0) == DAA_SIZE_issuerModulus and return error 

655 TPMJDAAJNPUTJDATAO on mismatch 

656 d. If DAA_session -> DAA_scratch == NULL: 

657 i. Set DAA_session -> DAA_scratch = inputDataO 

658 ii. set DAAJoinSession -> DAA_digest_nO = SHAl(DAA_session -> DAA_scratch) 

659 iii. set DAA_tpmSpecific -> DAA_rekey - SHA1(TPM_DAA_TPM_SEED | | 

660 DAAJoinSession -> DAA_digest_nO) 

661 e. Else (If DAA_session -> DAA_scratch != NULL): 

662 i. Set signedData = inputDataO 

663 ii. Verify that sizeOf(inputDatal) == DAA_SIZE_issuerModulus and return error 

664 TPMJDAAJNPUT_DATA1 on mismatch 

665 iii. Set signature Value = inputDatal 

666 iv. Use the RSA key == [DAA_session -> DAA_scratch] to verify that signatureValue is 

667 a signature on signedData, and return error TPMJ3AAJSSUERVALIDITY on 

668 mismatch 

669 v. Set DAA_session -> DAA_scratch = signedData 

670 f . Decrement DAAJpmSpecific -> DAA_count by 1 (unity) 

671 g. If DAA_tpmSpecific -> DAA_count ==0: 

672 h. increment DAA_Session -> DAA_Stage by 1 

673 i. set DAA_session -> DAA_digestContext - SHA- 1 (DAA_tpmSpecific | | 

674 DAAJoinSession) 

675 j. set outputData = NULL 

676 k. return TPM_SUCCESS 

677 2. Ifstage==2 

678 a. Verify that DAA_session ->DAA_stage==2. Return TPM_DAA_STAGE and flush handle 

679 on mismatch 

680 b. Verify that DAA_session -> DAA^digestContext == SHA- 1 (DAA_tpmSpecific | | 

681 DAAJoinSession) and return error TPM_DAAJTPM_SETTINGS on mismatch 

682 c. Verify that sizeOf(inputDataO) == sizeOf(TPM_DAAJSSUER) and return error 

683 TPM_DAA_INPUT_DATA0 on mismatch 

684 d. Set DAA_issuerSettings = inputDataO. Verify that all fields in DAAJssuer Settings are 

685 present and return error TPMJDAAJNPUTJDATAO if not. 
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686 e. Verify that sizeOf(inputDatal) == DAA_SIZE_issuerModulus and return error 

687 TPMJDAAJNPUTJDATAl on mismatch 

688 f. Set signature Value = inputDatal 

689 g. Set signedData = (DAAJoinSession -> DAA_digest_nO | | DAA_issuerSettings) 

690 h. Use the RSA key pAA_session -> DAA_scratch] to verify that signature Value is a 

691 signature on signedData, and return error TPMJ3AAJSSUERJVALIDITY on mismatch 

692 i. Set DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) 

693 j. set DAA_session -> DAA_digestContext = SHA-l(DAA_tpmSpecific | | 

694 DAAJoinSession) 

695 k. Set DAA_session -> DAA_scratch = NULL 

696 1. increment DAA__session -> DAA_stage by 1 

697 m. return TPM_SUCCESS 

698 3. Ifstage==3 

699 a. Verify that DAA_session ->DAA_stage==3. Return TPMJDAA^STAGE and flush handle 

700 on mismatch 

701 b. Verify that DAA_tpmSpecific -> DAA^digestlssuer === SHA- 1 (DAA JssuerSettings) and 

702 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

703 c. Verify that DAA^session -> DAA_digestContext SHA- 1 (DAA^tpmSpecific | | 

704 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

705 d. Verify that sizeOf(inputData0) == sizeOf(DAA_tpmSpecific -> DAA_count) and return 

706 error TPMJDAA_INPUT_DATA0 on mismatch 

707 e. Set DAAJpmSpecific -> DAA_count = inputDataO 

708 f. obtain random data from the RNG and store it as DAAJoinSession -> DAAJoin^uO 

709 g. obtain random data from the RNG and store it as DAAJoinSession -> DAAJoin_ul 

710 h. set outputData = NULL 

711 i. increment DAA_session -> DAA_stage by 1 

712 j. set DAA_session -> DAA^digestContext = SHA- 1 (DAAJpmSpecific | | 

713 DAAJoinSession) 

714 k. return TPM_SUCCESS 

715 4. Ifstage==4, 

716 a. Verify that DAA.session ->DAA_stage==4. Return TPM_DAA_STAGE and flush handle 

717 on mismatch 

718 b. Verify that DAA_tpmSpecific -> DAA__digestIssuer == SHA- 1 (DAAJssuerSettings) and 

719 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

720 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific | | 

72 1 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

722 d. Set DAA_generic_RO = inputDataO 
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723 e. Verify that SHA- 1 (D AA_generic_RO) — DAAJssuerSettings -> DAA_digest_RO and 

724 return error TPM_DAA_INPUT_DATAO on mismatch 

725 f. Set DAA_generic_n = inputDatal 

726 g. Verify that SHA- 1 (DAA_generic__n) == DAAJssuerSettings -> DAA_digest_n and 

727 return error TPM_DAA JNPUT_DATA 1 on mismatch 

728 h. Set X = DAA_generic_RO 

729 i. Set n = DAA_generic_n 

730 j. Set f = SHAl(DAA_tpmSpecific -> DAA_rekey | | DAA_tpmSpecific -> DAA_count | | 0 

731 ) | | SHAl(DAA_tpmSpecific -> DAA_rekey | | DAAJpmSpecific -> DAA_count | | 1 ) mod 

732 DAA_issuerSettings -> DAA_generic_q 

733 k. Set f 0 = f mod 2 A DAA_powerO (erase all but the lowest DAA_powerO bits of f) 

734 1. Set DAA_session -> DAA_scratch = (X A fO) mod n 

735 m. set outputData = NULL 

736 n. increment DAA_session -> DAA_stage by 1 

737 o. return TPM_SUCCESS 

738 5. Ifstage==5 

739 a. Verify that DAA_session ->DAA„stage==5. Return TPM_DAA_STAGE and flush handle 

740 on mismatch 

741 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

742 return error TPM_DAA__ISSUER_SETTINGS on mismatch 

743 c. Verify that DAA_session -> DAA_digestContext — SHA- 1 (DAA_tpmSpecific | | 

744 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

745 d. Set DAA_generic_Rl = inputDataO 

746 e. Verify that SHA-l(DAA_generic_Rl) == DAAJssuer Settings -> DAA_digest_Rl and 

747 return error TPM_DAA_INPUT_DATAOon mismatch 

748 f. Set DAA_generic_n = inputDatal 

749 g . Verify that SHA- 1 (DAA_generic_n) == DAAJssuerSettings -> DAA_digest_n and 

750 return error TPMJDAA_INPUT_DATA 1 on mismatch 

751 h. Set X = DAA_generic_Rl 

752 i. Set n = DAA_generic_n 

753 j. Set f = SHAl(DAA_tpmSpecific -> DAA_rekey | | DAA_tpmSpecific -> DAA_count | | 0 

754 ) | | SHAl(DAA_tpmSpecific -> DAA_rekey | | DAA_tpmSpecific -> DAA_count | | 1 ) mod 

755 DAA^issuerSettings -> DAA_generic_q. 

756 k. Shift f right by DAA_powerO bits (discard the lowest DAA_powerO bits) and label the 

757 result fl 

758 1. Set Z = DAA_session -> DAA_scratch 

759 m. Set DAA_session -> DAA_scratch = Z*(X A f 1) mod n 

760 n. set outputData = NULL 
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761 o. increment DAA_session -> DAA_stage by 1 

762 p. return TPM_SUCCESS 

763 6. If stage==6 

764 a. Verify that DAA_session ->DAA_stage==6. Return TPM_DAA_STAGE and flush handle 

765 on mismatch 

766 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

767 return error TPM J3AA_ISSUERJ3ETTINGS on mismatch 

768 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpe cific | | 

769 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

770 d. Set DAA_generic_S0 = inputDataO 

771 e. Verify that SHA- 1 (DAA_generic_S0) ™ DAA_issuerSettings -> DAA_digest_S0 and 

772 return error TPM_DAA_INPUT_DATAO on mismatch 

773 f. Set DAA_generic_n = inputDatal 

774 g . Verify that SHA- 1 (DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and 

775 return error TPM_D AA_INPUT__DATA 1 on mismatch 

776 h. Set X = DAA_generic_S0 

777 i. Set n = DAA_generic_n 

778 j . Set Z = DAA_session -> DAA_scratch 

779 k. Set Y = DAAJoinSession -> DAAJoin_uO 

780 1. Set DAA_session -> DAA_scratch = Z*(X A Y) mod n 

781 m. set outputData = NULL 

782 n. increment DAA_session -> DAA_stage by 1 

783 o. return TPM_SUCCESS 

784 7. Ifstage==7 

785 a. Verify that DAA_session ->DAA_stage==7. Return TPM_DAA_STAGE and flush handle 

786 on mismatch 

787 b. Verify that DAA^tpmSpecific -> DAA_dige stlssuer == SHA- 1 (DAA_issuerSettings) and 

788 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

789 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific | | 

790 DAAJoinSession) and return error TPM JDAAJTPM_SETTINGS on mismatch 

791 d. Set DAA_generic_Sl = inputDataO 

792 e. Verify that SHA-l(DAA_generic_Sl) == DAAJssuerSettings -> DAA^digest^Sl and 

793 return error TPM_DAA_INPUT_DATAO on mismatch 

794 f. Set DAA_generic_n = inputDatal 

795 g. Verify that SHA- 1 (DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and 

796 return error TPM_DAA„ INPUT_DATA 1 on mismatch 

797 h. Set X = DAA_generic_S 1 
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798 i. Set n = DAA_generic_n 

799 j. Set Y = DAAJoinSession -> DAAJoin_u 1 
BOO k. Set Z = DAA_session -> DAA__scratch 

301 1. Set DAA_session -> DAAjscratch = Z*(X A Y) mod n 

302 m. Set DAA_session -> DAA_digest to the SHA-1 (DAA_session -> DAA_scratch | | 

303 DAA_tpmSpecific -> DAA_count | | DAAJoinSession -> DAA_digest_nO) 

304 n. set outputData = DAA_session -> DAA_scratch 

305 o. set DAA_session -> DAA_scratch = NULL 

306 p. increment DAA_session -> DAA_stage by 1 

307 q. return TPM_SUCCESS 

308 8. If stage==8 

309 a. Verify that DAA_session ->DAA_stage==8. Return TPM_DAA_STAGE and flush handle 

310 on mismatch 

311 b. Verify that DAA__tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

312 return error TPM_DAA__ISSUER_SETTINGS on mismatch 

313 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific | | 

314 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

315 d. Verify inputSizeO ™ DAA_SIZE_NE and return error TPM__DAA_INPUT_DATAO on 

316 mismatch 

817 e. Set NE = deciypt(inputDataO, privEK) 

318 f. set outputData - SHA-l(DAA_session -> DAA_digest | | NE) 

319 g. set DAA_session -> DAA_digest = NULL 

320 h. increment DAA^session -> DAA_stage by 1 

321 i . return TPM_SUCCESS 

322 9. If stage==9 

823 a. Verify that DAA_session ->DAA_stage==9. Return TPM_DAA_STAGE and flush handle 

324 on mismatch 

325 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer === SHA-l(DAAJssuerSettings) and 

326 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

327 c. Verify that DAA_session -> DAA^digestContext == SHA- 1 (DAA_tpmSpecific | | 

328 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

329 d. Set DAA_generic_R0 = inputDataO 

330 e. Verify that SHA- l(DAA_generic_RO) == DAA_issuer Settings -> DAA__digest_RO and 

331 return error TPM_DAA_INPUT_DATAO on mismatch 

332 f. Set DAA_generic_n = inputDatal 

333 g. Verify that SHA-l(DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and 

334 return error TPM_DAA_INPUT_DATA 1 on mismatch 
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B35 h. obtain random data from the RNG and store it as DAA_session -> DAA_contextSeed 

336 i. obtain DAA_SIZE_rO bits from MGFlf'rO", DAA_session -> DAA_contextSeed), and 

337 label them Y 

338 j . Set X - DAA_generic_RO 

339 k. Set n = DAA_generic_ji 

340 1. Set DAA_session -> DAA_scratch = (X A Y) mod n 

341 m. set outputData = NULL 

342 n. increment DAA_session -> DAA_stage by 1 

343 o. return TPM_SUCCESS 

344 10. If stage==10 

345 a . Verify that DAA_session ->DAA_stage==10. Return TPM_DAA_STAGE and flush 

346 handle on mismatch h 

347 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAAJssuerSettings) and 

348 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

349 c. Verify that DAA_session -> DAAjiigestContext == SHA- 1 (D AA_tpmSpecific | | 

350 DAAJoinSession) and return error TPM_DAA_TPM__SETTINGS on mismatch 

351 d. Set DAA_generic_Rl = inputDataO 

352 e. Verify that SHA-l(DAA_generic_Rl) == DAAJssuerSettings -> DAA_digest_Rl and 

353 return error TPM_DAA_INPUT_DATAO on mismatch 

354 f. Set DAA_generic_n = inputDatal 

355 g. Verify that SHA- 1 (DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and 

356 return error TPM_DAA_INPUT_DATA 1 on mismatch 

357 h. obtain DAA_SIZE_rl bits from MGFl("rl", DAA^session -> DAA_contextSeed), and 

358 label them Y 

359 i. Set X = DAA_generic_Rl 

360 j . Set n = DAA__generic_n 

361 k. Set Z = DAA_session -> DAA_scratch 

362 1. Set DAA_session -> DAA_scratch = Z*(X A Y) mod n 

363 m. set outputData = NULL 

364 n. increment DAA_session -> DAA__stage by 1 

365 o. return TPM_SUCCESS 

366 11. If stage==ll 

367 a. Verify that DAA_session ->DAA_stage==l 1. Return TPM_DAA_STAGE and flush 

368 handle on mismatch 

369 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA~ 1 (DAA_issuerSettings) and 

370 return error TPM_DAA_ISSUER_SETTINGS on mismatch 
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371 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific | | 

372 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

373 d. Set DAA_generic_SO = inputDataO 

374 e. Verify that SHA- 1 (DAA_generic_SO) == DAAJssuerSettings -> DAA_digest_SO and 

375 return error TPM_DAA_INPUT_DATAO on mismatch 

376 f. Set DAA_generic_n = inputDatal 

377 g. Verify that SHA- 1 (DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and 

378 return error TPM_D AA_INPUT_D ATA 1 on mismatch 

379 h. obtain DAA_SIZE_r2 bits from MGFl("r2", DAA_session -> DAA_contextSeed), and 

380 label them Y 

381 i. Set X = DAA_generic_SO 

382 j. Set n = DAA_generic_n 

383 k. Set Z = DAA_session -> DAA_scratch 

384 1. Set DAA_session -> DAA_scratch = Z*(X A Y) mod n 

385 m. set outputData = NULL 

386 n. increment DAA_session -> DAA_stage by 1 

387 o. return TPM_SUCCESS 

388 12. If stage==12 

389 a. Verify that DAA^session ->DAA_stage==12. Return TPM_DAAJ3TAGE and flush 

390 handle on mismatch 

391 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA JssuerSettings ) and 

392 return error TPM J3AA_ISSUER_SETTINGS on mismatch 

393 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAAJpmSpecific | | 

394 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

395 d. Set D AA_generic_S 1 = inputDataO 

396 e. Verify that SHA-l(DAA_generic_Sl) == DAA_issuerSettings -> DAA_digest_S 1 and 

397 return error TPM_DAA_INPUT_DATAO on mismatch 

398 f. Set DAA_generic_n = inputDatal 

399 g. Verify that SHA- 1 (DAA_generic_n) == DAA_issuerSettings -> DAA_digest_n and 

900 return error TPM_DAA_INPUT_D ATA 1 on mismatch 

901 h. obtain DAA_SIZE_r3 bits from MGFl("r3", DAA_session -> DAA_contextSeed), and 

902 label them Y 

903 i. Set X = D AA_generic_S 1 

904 j . Set n = DAA_generic_n 

905 k. Set Z = DAA_session -> DAA_scratch 

906 1. Set DAA__session -> DAA_scratch = Z*(X A Y) mod n 

907 m. set outputData = DAA_session -> DAA_scratch 
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908 n. Set DAA_session -> DAA_scratch = NULL 

909 o. increment DAA_session -> DAA__stage by 1 

910 p. return TPM_SUCCESS 

911 13. If stage==13 

912 a. Verify that DAA_session->DAA_stage== 1 3 . Return TPM_DAA_STAGE and flush 

913 handle on mismatch 

914 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA JssuerSettings) and 

915 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

916 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific | | 

917 DAAJoinSession) and return error TPM_DAAJTPM_SETTINGS on mismatch 

918 d. Set DAA_generic_gamma = inputDataO 

919 e. Verify that SHA- 1 (DAA_generic_gamma) == DAA_issuerSettings -> 

920 DAA_digest_gamma and return error TPM_DAA_INPUT_DATAO on mismatch 

921 f. Verify that inputSizel == DAA_SIZE_w and return error TPM_DAA_INPUT_DATA 1 on 

922 mismatch 

923 g. Set w = inputDatal 

924 h. Set wl = w A ( DAAJssuerSettings -> DAA_generic_q) mod (DAA_generic_gamma) 

925 i. If wl != 1 (unity), return error TPM_DAA_WRONG_W 

926 j. Set DAA_session -> DAA_scratch = w 

927 k. set outputData = NULL 

928 1. increment DAA_session -> DAA_stage by 1 

929 m. return TPM^SUCCESS. 

930 14.1f stage==14 

931 a. Verify that DAA_session ->DAA_stage==14. Return TPM_DAA_STAGE and flush 

932 handle on mismatch 

933 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings ) and 

934 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

935 c. Verify that DAA^session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific | | 

936 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

937 d. Set D AA_generic_gamm a = inputDataO 

938 e. Verify that SHA- 1 (DAA_generic_gamma) == DAA_issuerSettings -> 

939 DAA_digest__gamma and return error TPM_DAA_INPUT_DATA0 on mismatch 

940 f. Set f = SHAl(DAA_tpmSpecific -> DAA^rekey | | DAA_tpmSpecific -> DAA_count | | 0 

941 ) | | SHAl(DAAJ:pmSpecific -> DAA_rekey | | DAA_tpmSpecific -> DAA_count | | 1 ) mod 

942 DAA_issuerSettings -> DAA_generic„q. 

943 g. Set E = ((DAA_session -> DAA_scratch) A f) mod (D AA_generic_gamma) . 

944 h. Set outputData = E 

945 i. increment DAA_session -> DAA_stage by 1 
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946 j . return TPM^SUCCESS. 

947 15. If stage==15 

948 a. Verify that DAAjsession - >D AA_stage= = 1 5 . Return TPM_DAA_STAGE and flush 

949 handle on mismatch 

950 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAAJssuerSettings) and 

951 return error TPM___DAAJSSUER_SETTINGS on mismatch 

952 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific | | 

953 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

954 d. Set DAA_generic_gamma = inputDataO 

955 e. Verify that SHA- 1 (DAA_generic_gamma) == DAA_issuerSettings -> 

956 DAA_digest_gamma and return error TPM_DAA_INPUT_DATAO on mismatch 

957 f. obtain DAA_SIZE_rO bits from MGFl("rO", DAA_session -> DAA_contextSeed), and 

958 label them rO 

959 g. obtain DAA_SIZE_rl bits from MGFlf'rl", DAA_session -> DAA_contextSeed), and 

960 label them rl 

961 h. set r = rO + 2 A DAA_powerO * rl mod (DAA_issuerSettings -> DAA_generic_q). 

962 i. set El = ((DAA_session -> DAA__scratch) A r) mod (DAA_generic_gamma). 

963 j. Set DAA_session -> DAA_scratch = NULL 

964 k. Set outputData - El 

965 1. increment DAA_session -> DAA_stage by 1 

966 m. return TPM_SUCCESS. 

967 16. If stage==16 

968 a. Verify that DAA_session ->DAA_stage-=16. Return TPMJDAAJSTAGE and flush 

969 handle on mismatch 

970 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAAJssuer Settings) and 

971 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

972 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (D AA_tpmSpecific | | 

973 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

974 d. Verify that inputSizeO == sizeOf(TPM_DIGEST) and return error 

975 TPM_DAA_INPUT_DATAO on mismatch 

976 e. Set DAA_session -> DAA_digest = inputDataO 

977 f. obtain DAA_SIZE__NT bits from the RNG and label them NT 

978 g. Set DAA_session -> DAA_digest to the SHA-1 ( DAA_session -> DAA_digest | | NT ) 

979 h. Set outputData = NT 

980 i. increment DAA_session -> DAA_stage by 1 

98 1 j . return TPM„SUCCESS. 

982 17.1f stage==17 
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983 a. Verify that DAA_session ->DAA_stage==17. Return TPMJDAA_STAGE and flush 

984 handle on mismatch 

985 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

986 return error TPM_DAAJSSUER_SETTINGS on mismatch 

987 c. Verify that DAA_session -> DAA^digestContext == SHA- 1 (DAA_tpmSpecific | | 

988 D^AJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

989 d. obtain DAA_SIZE_rO bits from MGFlf'rO", DAA_session -> DAA_contextSeed), and 

990 label them rO 

991 e. Set f = SHAl(DAAJ:pmSpecific -> DAA_rekey | | DAA_tpmSpecific -> DAA_count | | 0 

992 ) | | SHAl(DAA_tpmSpecific -> DAA^rekey | | DAA_tpmSpecific -> DAA_count | | 1 ) mod 

993 DAA_issuer Settings -> DAA_generic_q. 

994 f . Set fD = f mod 2 A DAA_powerO (erase all but the lowest DAA_powerO bits of f) 

995 g. Set sO = rO + (DAA_session -> DAA_digest) * fO in Z 

996 h. set outputData = sO 

997 i. increment DAA_session -> DAA_stage by 1 

998 j . return TPM.SUCCESS 

999 18.1f stage==18 

000 a. Verify that DAA_session ->DAA_stage-=18. Return TPM_DAA_STAGE and flush 

00 1 handle on mismatch 

002 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

003 return error TPM_DAA_ISSUER__SETTINGS on mismatch 

004 c. Verify that DAA_session -> DAA^digestContext == SHA- 1 (DAAJpmSpecific | | 

005 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

006 d. obtain DAA_SIZE_rl bits from MGFl("rl", DAA^session -> DAA^contextSeed), and 

007 label them rl 

008 e. Setf = SHAl(DAA_tpmSpecific -> DAA_rekey | | DAA_tpmSpecific -> DAA_count | | 0 

009 ) | | SHAl(DAA_tpmSpecific -> DAA_rekey | | DAA_tpmSpecific -> DAA_count | | 1 ) mod 

010 DAA_issuerSettings -> DAA_generic_q. 

011 f. Shift f right by DAA__power0 bits (discard the lowest DAA_power0 bits) and label the 

012 result fl 

013 g. Set si - rl + (DAA_session -> DAA_digest)* fl in Z 

014 h. set outputData = si 

015 i. increment DAA_session -> DAA_stage by 1 

016 j . return TPM_SUCCESS 

017 19. If stage==19 

018 a. Verify that DAA_session ->DAA_stage==19. Return TPM_DAA_STAGE and flush 

019 handle on mismatch 

020 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

02 1 return error TPM_DAA_ISSUER_SETTINGS on mismatch 
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022 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific | | 

023 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

024 d. obtain DAA_SIZE_r2 bits from MGFl("r2", DAA_session -> DAA_contextSeed), and 

025 label them r2 

026 e. Set s2 = r2 + (DAA_session -> DAA_digest)*( DAAJoinSession -> DAAJoin_u0) mod 

027 2 A DAA_powerl (Erase all but the lowest DAA__powerl bits of s2) 

028 f. Set DAA_session -> DAA_scratch = s2 

029 g. set outputData = s2 

030 h. increment DAA_session -> DAA_stage by 1 

031 i. return TPM_SUCCESS 

032 20. If stage==20 

033 a. Verify that DAA_session ->DAA_stage==20. Return TPM_DAA_STAGE and flush 

034 handle on mismatch 

035 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAAJssuerSettings) and 

036 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

037 c. Verify that DAA_session -> DAA_digestContext == SHA-l(DAA__tpmSpecific | | 

038 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

039 d. obtain DAA__SIZE_r2 bits from MGFl("r2", DAA_session -> DAA_contextSeed), and 

040 label them r2 

041 e. Set sl2 = r2 + (DAA_session -> DAA_digest)*( DAAJoinSession -> DAAJoin_uO) 

042 f. Shift sl2 right by DAA_powerl bit (discard the lowest DAA_powerl bits). 

043 g. Set DAA_session -> DAA_scratch = sl2 

044 h. Set outputData = DAA_session -> DAA_digest 

045 i. increment DAA^session -> DAA_stage by 1 

046 j . return TPM_SUCCESS 

047 21. If stage==21 

048 a. Verify that DAA_session ->DAA_stage==21. Return TPM_DAA_STAGE and flush 

049 handle on mismatch 

050 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAAJssuerSettings) and 

051 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

052 c. Verify that DAA__session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific | | 

053 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

054 d. obtain DAA_SIZE_r3 bits from MGFl("r3", DAA_session -> DAA_contextSeed), and 

055 label them r3 

056 e. Set s3 = r3 + (DAA_session -> DAA_digest)*( DAAJoinSession -> DAAJoinjal) + 

057 (DAA_session -> DAA_scratch). 

058 f. Set DAA_session -> DAA_scratch = NULL 

059 g. set outputData = s3 
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060 h. increment DAA_session -> DAA_stage by 1 

06 1 i. return TPM_SUCCESS 

062 22. If stage==22 

063 a. Verify that DAA_session ->DAA_stage==22. Return TPM_DAA_STAGE and flush 

064 handle on mismatch 

065 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-l(DAA_issuerSettings) and 

066 return error TPM JDAAJSSUER_SETTINGS on mismatch 

067 c. Verify that DAA_session -> DAA_digestContext ™ SHA- 1 (DAA_tpmSpecific | | 

068 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

069 d. Verify inputSizeO == DAA_SIZE_vO and return error TPM_DAA_INPUT_DATAO on 

070 mismatch 

071 e. Set u2 = inputDataO 

072 f. Set vO = u2 + (DAAJoinSession -> DAAJoin_uO) mod 2 A DAA_powerl (Erase all but 

073 the lowest DAA_powerl bits of vO). 

074 g. Set DAA_tpmSpecific -> DAA_digest_vO = SHA-l(vO) 

075 h. Set vlO = u2 + (DAAJoinSession -> DAAJoin_uO) in Z 

076 i. Shift vlO right by DAA_powerl bits (erase the lowest DAA_powerl bits). 

077 j . Set DAA_session ->DAA_scratch = vlO 

078 k. Set outputData 

079 i. Fill in TPM_DAA_BLOB with a type of TPM_RT_DAA_VO and encrypt the vO 

080 parameters 

081 ii. set outputData to the encrypted TPM_DAA_BLOB 

082 1. increment DAA_session -> DAA_stage by 1 

083 m. set DAA_session -> DAA_digestContext = SHA- 1 (DAA_tpmSpecific | | 

084 DAAJoinSession) 

085 n. return TPM__SUCCESS 

086 23. If stage==23 

087 a. Verify that DAA_session ->DAA_stage==23. Return TPM_DAA_STAGE and flush 

088 handle on mismatch 

089 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

090 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

091 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific | | 

092 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

093 d. Verify inputSizeO == DAA_SIZE_vl and return error TPM_DAAJNPUT_DATAO on 

094 mismatch 

095 e. Set u3 = inputDataO 

096 f. Set vl = u3 + DAAJoinSession -> DAAJoin_ul + DAA__session ->DAA_scratch 

097 g. Set DAA_tpmSpecific -> DAA_digest_vl = SHA-l(vl) 
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D98 h. Set outputData 

099 i. Fill in TPMJ3AA_BLOB with a type of TPM_RT_D AA_V 1 and encrypt the vl 

100 parameters 

101 ii. set outputData to the encrypted TPM_DAA_BLOB 

102 i. Set DAA_session ->DAA_scratch = NULL 

103 j. increment DAA_session -> DAA_stage by 1 

104 k. set DAA_session -> DAA_digestContext = SHA- 1 (DAA_tpmSpecific | | 

105 DAAJoinSession) 

106 1 . return TPM.SUCCESS 

107 24. If stage==24 

108 a. Verify that DAA^session ->DAA_stage==24. Return TPM_DAA_STAGE and flush 

109 handle on mismatch 

110 b. Verify that DAA_tpmSpecific -> DAA^digestlssuer == SHA- 1 (DAA_issuerSettings) and 

111 return error TPMJDAAJSSUERJSETTINGS on mismatch 

112 c. Verify that DAA_session -> DAA^digestContext == SHA- 1 (DAAJpmSpecific || 

113 DAAJoinSession) and return error TPM_DAA_TPM_SETTINGS on mismatch 

1 14 d. set outputData = enc(DAA__tpmSpecific) 

115 e. return TPM_SUCCESS 

1 16 25.1f stage > 24, return error: TPMJDAA_STAGE 
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117 26.2 TPM_DAA_Sign 

118 TPM protected capability; user must provide authorizations from the TPM Owner. 

1 19 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


Tag 


TPM_TAG_RQU_AUTH 1 _COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes incl. paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


Ordinal 


Command ordinal: TPM_ORD_DAA_Sign 


4 


4 






TPMJHANDLE 


handle 


Handle to the sign session 


5 


1 


2S 


1 


BYTE 


stage 


Stage of the sign process 


6 


4 


3S 


4 


U1NT32 


inputSizeO 


Size of inputDataO for this stage of DAA_Sign 


7 


o 


4S 


<> 


BYTEQ 


inputDataO 


Data to be used by this capability 


8 


4 


5S 


4 


UINT32 


inputSizel 


Size of inputDatal for this stage of DAA_Sign 


9 


o 


6S 


o 


BYTEQ 


inputOatal 


Data to be used by this capability 


10 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce prevbusly generated by TPM to cover inputs 


11 


20 


3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


12 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


13 


20 




20 


TPM_AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner. HMAC key: 
ownerAuth. 


Ou 


itgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP JVUTHI^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes incl. paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal:TPM_ORDJ}AA_Sign 


4 


4 


3S 


4 


UINT32 


outputSize 


Size of outputData 


5 


<> 


4S 


<> 


BYTEQ 


outputData 


Data produced by this capability 


6 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle | 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 




20 


TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth. 
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121 Description 

122 This table summaries the input, output and saved data that is associated with each stage of 

123 processing. 



ge 


Input DataO 


Input Datal 


Operation 


Output Data 


Scratchpad 


0 


DAAjssuerSettings 


NULL 


initialise 


handle 


NULL 


1 


enc(DAA_tpmSpeciflc) 


NULL 


initialise 


NULL 


NULL 


2 


DAA_generic_RO 


DAA_generic_n 


P1=R0 A rt) mod n 


NULL 


P1 


3 


DAA_cjeneric_R1 


DAA_generic_n 


P2 = P1*(R1 A r1) mod n 


NULL 


P2 


4 


DAA_generic_S0 


DAA_generic_n 


P3 = P2*(S0 A r2) mod n 


NULL 


P3 


5 


DAA_seneric_S1 


DAA_generic_n 


T = P3*(S1 A r4) mod n 


T 


NULL 


6 


DAA_generic_gamma 


w 


w1 = w A q mod gamma 


NULL 


w 


7 


DAA_generic_gamma 


NULL 


E = w A f mod gamma 


E 


w 


8 


DAA_generic_gam ma 


NULL 


r = r0 + (2 A power0)YI 
mod q, 

E1 = w A r mod gamma 


E1 


NULL 


9 


d 


NULL 


c = hash(c1 1| NT) 


NT 


NULL 


10 


b (selector) 


m or handle to AIK 


c = hash(c || 1 || m) 
or 

c = hashfc || 0 || AIK- 
modulus) 


c 


NULL 












11 


NULL 


NULL - 


sO = r0 + c*f0 


sO 


NULL 


12 


NULL 


NULL 


s1 = r1 + c*f1 


s1 


NULL 


13 


enc(vO) 


NULL 


s2 = r2 + c*v0 
mod 2 A power1 


s2 


NULL 


14 


enc(vO) 


NULL 


s12 = r2 + c*v0 
» powerl 


NULL 


s12 


15 


enc(v1) 


NULL 


s3 = r4 + c*v1 +s12 


s3 


NULL 



124 

125 When a TPM receives an Owner authorized command to input enc(DAA_tpmSpecific) or 

126 enc(vO) or enc(vl), the TPM MUST verify that the TPM created the data and that neither the 

127 data nor the TPM's EK has been changed since the data was created. Loading one of these 

128 wrapped blobs does not require authorization, since correct blobs were created by the TPM 

129 under Owner authorization, and unwrapped blobs cannot be used without Owner 

130 authorisation. The TPM MUST NOT restrict the number of times that the contents of 

131 enc(DAAJpmSpecific) or enc(vO) or enc(vl) can be used by the same combination of TPM 

132 and Owner that created them.. 

133 Actions 

134 A Trusted Platform Module that receives a valid TPM_DAA_Sign command SHALL: 

135 26. Use ownerAuth to verify that the Owner authorized all TPM_DAA_Sign input parameters. 

136 27. Any error results in the TPM invalidating all resources associated with the command 

137 28. Constant values of 0 or 1 are 1 byte integers, stages affected are 

138 a. 7(f), 11(e), 12(e) 
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139 29. Representation of the strings "rO" to "r4" are 2- byte ASCII encodings, stages affected are 

140 a. 2(h), 3(h), 4(h), 5(h), 12(d), 13(f), 14(f), 15(f) 

141 Stages 

142 0. If stage==0 

143 a. Determine that sufficient resources are available to perform a TPMJDAA_Sign. 

144 i. The TPM MUST support sufficient resources to perform one (1) TPM_D AA_J oin / 

145 TPM_D AA_Sign . The TPM MAY support addition TPM_D AA_Join / TPMJDAA^Sign 

146 sessions. 

147 ii. The TPM may share internal resources between the DAA operations and other 

148 variable resource requirements: 

149 iii. If there are insufficient resources within the stored key pool (and one or more 

150 keys need to be removed to permit the DAA operation to execute) return 

151 TPM_NOSPACE 

152 iv. If there are insufficient resources within the stored session pool (and one or 

153 more authorization or transport sessions need to be removed to permit the 

154 DAA operation to execute), return TPM_RESOURCES. 

155 b. Set DAA_issuerSettings = inputDataO 

156 c. Verify that all fields in DAA_issuerSettings are present and return error 

1 57 TPM_DAA_INPUT_DATAO if not. 

158 d. set all fields in DAA_session = NULL 

159 e. Assign new handle for session 

160 f. Set outputData to new handle 

161 g. set DAA_session -> DAA_stage = 1 

162 h. return TPM_SUCCESS 

163 1. Ifstage==l 

164 a. Verify that DAA_session ->DAA_stage==l. Return TPM_DAA_STAGE and flush handle 

165 on mismatch 

166 b. Set DAA_tpmSpecific = unwrap (inputDataO) 

167 c. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-l(DAA_issuerSettings) and 

168 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

169 d. set DAA^session -> DAA_digestContext = SHA- 1 (DAA_tpmSpecific) 

170 e. obtain random data from the RNG and store it as DAA_session -> DAA_contextSeed 

171 f. set outputData = NULL 

172 g. set DAA_session -> DAA_stage =2 

173 h. return TPM^SUCCESS 

174 2. Ifstage==2 
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175 a. Verify that DAA_session ->DAA_stage==2. Return TPM_DAA_STAGE and flush handle 

176 on mismatch 

177 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

178 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

179 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific) and 

180 return error TPM_DAA_TPM_SETTINGS on mismatch 

181 d. Set DAA_generic_R0 = inputDataO 

182 e. Verify that SHA- 1 (DAA__generic_RO) == DAA_issuerSettings -> DAA_digest_RO and 

183 return error TPM_DAA_INPUT_DATAO on mismatch 

184 f. Set DAA_generic_n = inputDatal 

185 g. Verify that SHA-l(DAA_generic_n) == DAAJssuerSettings -> DAA_digest_n and 

186 return error TPMJDAAJNPUTJDATAl on mismatch 

187 h. obtain DAA_SIZE_rO bits from MGFlf'rO", DAA_session -> DAA_contextSeed), and 

188 label them Y 

189 i. Set X = DAA_generic_RO 

190 j. Set n = DAA_generic_n 

191 k. Set DAA_session -> DAA^scratch = (X A Y) mod n 

192 1. set outputData = NULL 

193 m. increment DAA_session -> DAA_stage by 1 

194 n. return TPM_SUCCESS 

195 3. Ifstage==3 

196 a. Verify that DAA.session ->DAA_stage==3. Return TPM_DAA_STAGE and flush handle 

197 on mismatch 

198 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- l(DAA_issuer Settings) and 

199 return error TPMJDAAJSSUER_SETTINGS on mismatch 

200 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific) and 

201 return error TPM_DAA_TPM_SETTINGS on mismatch 

202 d. Set DAA_generic_Rl = inputDataO 

203 e. Verify that SHA-l(DAA_generic_Rl) == DAAJssuer Settings -> DAA^digest^Rl and 

204 return error TPM_DAA_INPUT_DATAO on mismatch 

205 f. Set DAA_generic__n = inputDatal 

206 g. Verify that SHA-l(DAA_generic_n) == DAAJssuerSettings -> DAA^digest.n and 

207 return error TPM_DAA_INPUT_DATA 1 on mismatch 

208 h. obtain DAA_SIZE_rl bits from MGFl("rl ,, > DAA_session -> DAA_contextSeed), and 

209 label them Y 

210 i . Set X = DAA_generic_R 1 

211 j . Set n = DAA_generic_n 

212 k. Set Z = DAA_session -> DAA^scratch 
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213 1. Set DAA_session -> DAA_scratch = Z*(X A Y) mod n 

214 m. set outputData = NULL 

215 n. increment DAA_session -> DAA_ stage by 1 

216 o. return TPM_SUCCESS 

217 4. Ifstage==4 

218 a. Verify that DAA_session ->DAA_stage==4. Return TPM_DAA_STAGE and flush handle 

219 on mismatch 

220 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAAJssuerSettings) and 

22 1 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

222 c. Verify that DAA_session -> DAA_digestContext = SHA- 1 (DAA_tpmSpecific) and 

223 return error TPM_DAA_TPM_SETTINGS on mismatch 

224 d. Set DAA_generic_S0 = inputDataO 

225 e. Verify that SHA- 1 (DAA__generic_S0) == DAAJssuerSettings -> DAA_digest_S0 and 

226 return error TPM_DAA_INPUT_DATAO on mismatch 

227 f. Set DAA_generic_n = inputDatal 

228 g. Verify that SHA- 1 (DAA_generic_n) == DAAJssuerSettings -> DAA_digest_n and 

229 return error TPM_DAA_INPUT_D ATA 1 on mismatch 

230 h. obtain DAA_SIZE_r2 bits from MGFl("r2", DAA_session -> DAA_contextSeed), and 

231 label them Y 

232 i. Set X - DAA_generic_S0 

233 j. Set n = DAA_generic_n 

234 k. Set Z = DAA_session -> DAA_scratch 

235 1. Set DAA_session -> DAA_scratch = Z*(X A Y) mod n 

236 m. set outputData = NULL 

237 n. increment DAA_session -> DAA_stage by 1 

238 o. return TPM_SUCCESS 

239 5. If stage==5 

240 a. Verify that DAA_session ->DAA_stage==5. Return TPM_DAA_STAGE and flush handle 

241 on mismatch 

242 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

243 return error TPM JDAA_ISSUER_SETTINGS on mismatch 

244 c. Verify that DAA_session -> DAA^digestContext == SHA- 1 (DAA_tpmSpecific) and 

245 return error TPM_DAA_TPM_SETTINGS on mismatch 

246 d. Set DAA_generic_S 1 = inputDataO 

247 e. Verify that SHA-l(DAA_generic_Sl) == DAAJssuer Settings -> DAA_digest_S 1 and 

248 return error TPM_DAA_INPUTJDATAO on mismatch 

249 f. Set DAA_generic_n = inputDatal 



276 



TCG Published 



Level 2 Revision 94 29 March 2006 Draft 



TPM Main Part 3 Commands TCG © Copyright 

Specification Version 1.2 

250 g. Verify that SHA- 1 (DAA_generic__n) == DAA_issuerSettings -> DAA_digest_n and 

251 return error TPM_DAA JNPUTJD ATA 1 on mismatch 

252 h. obtain DAA_SIZE_r4 bits from MGFl("r4", DAA_session -> DAA_contextSeed), and 

253 label them Y 

254 i . Set X = DAA__generic_S 1 

255 j. Set n = DAA_generic_n 

256 k. Set Z = DAA_session -> DAA_scratch 

257 1. Set DAA__session -> DAA_scratch = Z*(X A Y) mod n 

258 m. set outputData = DAA_session -> DAA_scratch 

259 n. set DAA_session -> DAA_scratch = NULL 

260 o. increment DAA_session -> DAA_stage by 1 

261 p. return TPM_SUCCESS 

262 6. If stage==6 

263 a. Verify that DAA_session ->DAA_stage==6. Return TPM_DAA_STAGE and flush handle 

264 on mismatch 

265 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA JssuerSettings) and 

266 return error TPMJ3AA_ISSUER_SETTINGS on mismatch 

267 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific) and 

268 return error TPM_DAA_TPM_SETTINGS on mismatch 

269 d. Set DAA_generic_gammma = inputDataO 

270 e. Verify that SHA- 1 (DAA„generic_gamma) == DAAJssuerSettings -> 

271 DAA_digest_gamma and return error TPM_DAA_INPUT_DATAO on mismatch 

272 f. Verify that inputSizel == DAA_SIZE_w and return error TPM_DAA_INPUT_DATA 1 on 

273 mismatch 

274 g. Set w = inputDatal 

275 h. Set wl = w A ( DAAJssuerSettings -> DAA_generic_q) mod (DAA_generic_gamma) 

276 i. If wl != 1 (unity), return error TPM_DAA_WRONGJW 

277 j. Set DAA_session -> DAA_scratch = w 

278 k. set outputData = NULL 

279 1. increment DAA_session -> DAA_stage by 1 

280 m. return TPM_SUCCESS. 

281 7. Ifstage==7 

282 a. Verify that DAA_session ->DAA_stage==7. Return TPM_DAA_STAGE and flush handle 

283 on mismatch 

284 b. Verify that DAA_tpmSpecific -> DAA__digestIssuer == SHA- 1 (DAA_issuerSettings) and 

285 return error TPM_DAA_ISSUER_SETTINGS on mismatch 
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286 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA__tpmSpecific) and 

287 return error TPM_DAA_TPM_SETTINGS on mismatch 

288 d. Set DAA_generic_gamma = inputDataO 

289 e. Verify that SHA- 1 (D AA_generic_gamma) == DAA_issuerSettings -> 

290 DAA_digest__gamma and return error TPM_DAA_INPUT_DATAO on mismatch 

291 f. Set f = SHAl(DAA_tpmSpecific -> DAA_rekey | | DAA_tpmSpecific -> DAA__count | | 0 

292 ) | | SHAl(DAA__tpmSpecific -> DAA_rekey | | DAA_tpmSpecific -> DAA_count | | 1 ) mod 

293 DAA_issuerSettings -> DAA_generic_q. 

294 g. Set E = ((DAA_session -> DAA_scratch) A f) mod (DAA_generic_gamma) . 

295 h. Set outputData = E 

296 i. increment DAA_session -> DAA__stage by 1 

297 j . return TPM_SUCCESS. 

298 8. Ifstage==8 

299 a. Verify that DAA_session ->DAA_stage==8. Return TPMJDAA_STAGE and flush handle 

300 on mismatch 

301 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

302 return error TPM_DAA_ISSUERJ3ETTINGS on mismatch 

303 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific) and 

304 return error TPM_DAA_TPM_SETTINGS on mismatch 

305 d. Set DAA_generic_gamma = inputDataO 

306 e. Verify that SHA- 1 (DAA_generic_gamma) == DAA_issuerSettings -> 

307 DAA_digest_gamma and return error TPM_DAAJNPUT_DATAO on mismatch 

308 f. obtain DAA_SIZE_r0 bits from MGFlf'rO", DAA_session -> DAA_contextSeed), and 

309 label them rO 

310 g. obtain DAA_SIZE_rl bits from MGFl("rl'\ DAA_session -> DAA_contextSeed), and 

311 label them rl 

312 h. set r = rO + 2 A DAA_powerO * rl mod (DAA_issuer Settings -> DAA_generic_q) . 

313 i. Set El = ((DAA„session -> DAA_scratch) A r) mod (DAA_generic_gamma) 

314 j. Set DAA_session -> DAA_scratch = NULL 

315 k. Set outputData = El 

316 1. increment DAA_session -> DAA_stage by 1 

3 17 m. return TPM_SUCCESS. 

318 9. Ifstage==9 

319 a. Verify that DAA_session ->DAA_stage=-9. Return TPM_DAA_STAGE and flush handle 

320 on mismatch 

321 b. Verify that DAAJpmSpecific -> DAA_digestIssuer == SHA- 1 (DAAJssuerSettings) and 

322 return error TPM_DAA_ISSUER_SETTINGS on mismatch 
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323 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific) and 

324 return error TPM_DAA_TPM_SETTINGS on mismatch 

325 d. Verify that inputSizeO == sizeOf(TPM_DIGEST) and return error 

326 TPM_DAA_INPUT_DATAO on mismatch 

327 e. Set DAA_session -> DAA_digest = inputDataO 

328 f . obtain DAA_SIZE_NT bits from the RNG and label them NT 

329 g. Set DAA_session -> DAA_digest to the SHA-1 ( DAA_session -> DAA_digest | | NT ) 

330 h. Set outputData = NT 

331 i. increment DAA_session -> DAA_stage by 1 

332 j. return TPM_SUCCESS. 

333 10. If stage==10 

334 a. Verify that DAA_session ->DAA_stage==10. Return TPM_DAA_STAGE and flush 

335 handle on mismatch 

336 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA-l(DAA_issuerSettings) and 

337 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

338 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific) and 

339 return error TPM_DAA_TPM_SETTINGS on mismatch 

340 d. Set selector = inputDataO, verify that selector == 0 or 1, and return error 

341 TPM_DAA_INPUT_DATAO on mismatch 

342 e. If selector == 1, verify that inputSizel = sizeOf (TPM_DIGEST) , and 

343 f. Set DAA_session -> DAA_digest to SHA-1 (DAA_session -> DAA_digest | | 1 | | 

344 inputDatal) 

345 g. If selector == 0, verify that inputDatal is a handle to a TPM identity key (AIK), and 

346 h. Set DAA_session -> DAA_digest to SHA-1 (DAA_session -> DAAdigest | | 0 | | n2) 

347 where n2 is the modulus of the AIK 

348 i. Set outputData = DAA_session -> DAA_digest 

349 j. increment DAA_session -> DAA_stage by 1 

350 k. return TPM_SUCCESS. 

351 11. If stage==ll 

352 a. Verify that DAA_session ->DAA_stage==l 1. Return TPM_DAA_STAGE and flush 

353 handle on mismatch 

354 b. Verify that DAA_tpmSpecifrc -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

355 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

356 c. Verify that DAA_session -> DAA_digestContext == SHA-l(DAA_tpmSpecific) and 

357 return error TPM_DAA_TPM_SETTINGS on mismatch 

358 d. obtain DAA_SIZE_r0 bits from MGFlf'rO", DAA_session -> DAA_contextSeed), and 

359 label them rO 
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360 e. Setf = SHAl(DAA_tpmSpecific -> DAA_rekey | | DAA_tpmSpecific -> DAA_count | | 0 

361 ) | | SHAl(DAA_tpmSpecific -> DAAjrekey | | DAA_tpmSpecific -> DAA_count | | 1 ) mod 

362 DAA_issuerSettings -> DAA_generic_q. 

363 f. Set fO = f mod 2 A DAA_powerO (erase all but the lowest DAA_powerO bits of f) 

364 g. Set sO = rO + (DAA_session -> DAA_digest)*(fO) 

365 h. set outputData = sO 

366 i. increment DAA_session -> DAA_stage by 1 

367 j . return TPM^SUCCESS 

368 12. If stage==12 

369 a. Verify that DAA_session - >DAA_stage== 1 2 . Return TPM_DAA_STAGE and flush 

370 handle on mismatch 

371 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAAjssuerSettings) and 

372 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

373 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific) and 

374 return error TPM_DAA_TPM_SETTINGS on mismatch 

375 d. obtain DAA_SIZE_rl bits from MGFlf'rl", DAA_session -> DAA_contextSeed), and 

376 label them rl 

377 e. Set f - SHA 1 (DAA_tpmSpecific -> DAA__rekey | | DAA_tpmSpecific -> DAA_count | | 0 

378 ) | | SHAl(DAA_tpmSpecific -> DAA_rekey | | DAA_tpmSpecific -> DAA_count | | 1 ) mod 

379 DAA_issuerSettings -> DAA_generic_q. 

380 f. Shift f right by DAA_powerO bits (discard the lowest DAA_powerO bits) and label the 

381 result fl 

382 g. Set si = rl + (DAA_session -> DAA_digest)*(fl) 

383 h. set outputData = si 

384 i. increment DAA_session -> DAA_stage by 1 

385 j . return TPM_SUCCESS 

386 13. If stage==13 

387 a. Verify that DAA„session ->DAA_stage==13. Return TPM_DAA_STAGE and flush 

388 handle on mismatch 

389 b. Verify that DAA_tpmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

390 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

391 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific) and 

392 return error TPM_DAA_TPM_SETTINGS on mismatch 

393 d. Set DAA_private„vO= unwrap(inputDataO) 

394 e. Verify that SHA- 1 (DAA_private_vO) == DAA_tpmSpecific -> DAA_digest_vO and return 

395 error TPM_DAA_INPUT_DATAO on mismatch 

396 f. obtain DAA_SIZE_r2 bits from MGFl("r2", DAA^session -> DAA^contextSeed), and 

397 label them r2 
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398 g. Set s2 = r2 + (DAA__session -> DAA_digest)*( DAA_private_vO) mod 2 A DAA_powerl 

399 (erase all but the lowest DAA_powerl bits of s2) 

400 h. Set DAA_session -> DAA_scratch = s2 

401 i. set outputData = s2 

402 j . increment DAA_session -> DAA__stage by 1 

403 k. return TPM_SUCCESS 

404 14. If stage==14 

405 a. Verify that DAA_session ->DAA_stage== 1 . Return TPM_DAA_STAGE and flush handle 

406 on mismatch 

407 b. Verify that DAAJipmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

408 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

409 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific) and 

410 return error TPM_DAA_TPM_SETTINGS on mismatch 

411 d. Set DAA_private_v0= unwrap(inputDataO) 

412 e. Verify that SHA- 1 (DAA_private_vO) == DAA^tpmSpecific -> DAA__digest_vO and return 

413 error TPM_DAA_JNPUT_DATAO on mismatch 

414 f. obtain DAA_SIZE_r2 bits from MGFl("r2", DAA__session -> DAA_contextSeed), and 

415 label them r2 

416 g. Set sl2 = r2 + (DAA_session -> DAA_digest)*(DAA_private_vO). 

417 h. Shift si 2 right by DAA_powerl bits (erase the lowest DAA^powerl bits). 

418 i. Set DAA_session -> DAA_scratch = sl2 

419 j . set outputData = NULL 

420 k. increment DAAjsession -> DAA_stage by 1 

42 1 1 . return TPM^SUCCESS 

422 15. If stage==15 

423 a. Verify that DAA„session ->DAA_stage==15. Return TPM_DAA_STAGE and flush 

424 handle on mismatch 

425 b. Verify that DAAJipmSpecific -> DAA_digestIssuer == SHA- 1 (DAA_issuerSettings) and 

426 return error TPM_DAA_ISSUER_SETTINGS on mismatch 

427 c. Verify that DAA_session -> DAA_digestContext == SHA- 1 (DAA_tpmSpecific) and 

428 return error TPMJDAA_TPM_SETTINGS on mismatch 

429 d. Set D AA_private_v 1 = unwrap (inputDataO) 

430 e. Verify that SHA-l(DAA_private_vl) == DAA_tpmSpecific -> DAA_digest_vl and return 

431 error TPM_DAA_INPUT_DATAO on mismatch 

432 f. obtain DAA_SIZE_r4 bits from MGFl("r4", DAA_session -> DAA_contextSeed), and 

433 label them r4 

434 g. Set s3 = r4 + (DAA_session -> DAA_digest)*(DAA_private_vl) + (DAA_session -> 

435 DAA_scratch). 
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436 h. Set DAA_session -> DAA_scratch = NULL 

437 i. set outputData = s3 

438 j. increment DAA_session -> DAA_stage by 1 

439 k. return TPM_SUCCESS 

440 16. If stage > 15, return error: TPM_DAA_STAGE 
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441 

442 

443 
444 
445 

446 

447 

448 

449 



27. Deprecated commands 



Start of informative comment: 

This section covers the commands that were in version 1. 1 but now have new functionality 
in other functions. The deprecated commands are still available in 1.2 but all new software 
should use the new functionality. ^ : ^ 

There is no requirement that the deprecated commands work with new structures. 
End of informative comment. 



1. Commands deprecated in version 1.2 MUST work with version 1.1 structures 

2. Commands deprecated in version 1.2 MAY work with version 1.2 structures 
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450 27.1 Key commands 

451 [Start ^ w - r ~ ■ : : ; * 

452 The key commands are deprecated as the new way to haridle keys is to use the" standard 

453 context . .coirimari now handled by TPM_FlushSpecific, 

454 TTM^ 

455 End of informative comment . _ _ 

456 27.1.1 TPM_EvictKey 

457 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.COMMANDCODE 


ordinal 


Command ordinat TPM_0RDJEvictKey 


4 


4 






TPM_KEY_HANDLE 


evictHandle 


The handle of the key to be evicted. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM__ORD_EvictKey 



459 Actions 

460 The TPM will invalidate the key stored in the specified handle and return the space to the 

461 available internal pool for subsequent query by TPM_GetCapability and usage by 

462 TPJVLLoadKey. If the specified key handle does not correspond to a valid key, an error will 

463 be returned. 

464 New 1 .2 functionality 

465 The command must check the status of the ownerEvict flag for the key and if the flag is 

466 TRUE return TPM_KEY_CONTROL_OWNER 
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467 

468 

469 

470 
471 
472 
473 
474 

475 
476 



27.1.2 



TPM Terminate Handle 



[Start of informative comment: 

This allows the TPM manager to clear out information in a session handle. 

The TPM may maintain the authorization session even though a key attached to it has been 
unloaded or the authorization session itself has been unloaded in some way. When a 
command is executed that requires this session, it is the responsibility of the external 
software to load both the entity and the authorization session information prior to 
command execution. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORDJerminate_Handle. 


4 


4 






TPM.AUTHHANDLE 


handle 


The handle to terminate 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RS P_C 0 MMAN D 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_Terminate_Handle. 



477 



478 

479 
480 

481 

482 
483 

484 

485 
486 
487 

488 

489 



Descriptions 

The TPM SHALL terminate the session and destroy all data associated with the session 
indicated. 

Actions 

A TPM SHALL unilaterally perform the actions of TPM JTerminate_Handle upon detection of 
the following events: 

1 . Completion of a received command whose authorization "continueUse" flag is FALSE. 

2. Completion of a received command when a shared secret derived from the authorization 
session was exclusive -or'ed with data (to provide confidentiality for that data). This 
occurs during execution of a TPM_ChangeAuth command, for example. 

3. When the associated entity is destroyed (in the case of TPM Owner or SRK, for example) 

4. Upon execution of TPM_Init 
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490 5. When the command returns an error. This is due to the fact that when returning an 

491 error the TPM does not send back nonceEveri. There is no way to maintain the rolling 

492 nonces, hence the TPM MUST terminate the authorization session. 

493 6. Failure of an authorization check belonging to that authorization session. 
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494 

495 

496 
497 
498 



27.2 Context management 



500 

501 

502 
503 
504 

505 
506 



Start of informative comment: 

The 1.1 context commands were written for specific resource types. The 1.2 commands are 
generic for all resource types. So the Savexxx commands are replaced by TPM_SaveContext 
and the LoadXXX commands by TPM_LoadContext. , ; 



499 End of informative comment. 



27.2.1 TPM_SaveKeyContext 



Start of informative comment: 

TPM.SaveKeyContext saves a loaded key outside the TPM /Mter creation of the key context 
blob the TPM automatically releases the internal memory used by that key. The format of 
the key context blob is specific to a TPM. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SaveKeyContext 


4 


4 






TPM_KEY_HANDLE 


keyHandle 


The key which will be kept outside the TPM 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_SaveKeyContext 


4 


4 


3S 


4 


UINT32 


keyContextSize 


The actual size of the outgoing key context blob. If the command fails the value 
will be 0 


5 


<> 


4S 


<> 


BYTEQ 


keyContextBlob 


The key context blob. 



507 



508 

509 
510 
511 

512 
513 
514 
515 



Description 

1. This command allows saving a loaded key outside the TPM. After creation of the 
keyContextBlob, the TPM automatically releases the internal memory used by that key. 
The format of the key context blob is specific to a TPM. 

2. A TPM protected capability belonging to the TPM that created a key context blob MUST 
be the only entity that can interpret the contents of that blob. If a cryptographic 
technique is used for this purpose, the level of security provided by that technique 
SHALL be at least as secure as a 2048 bit RSA algorithm. Any secrets (such as keys) 
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516 used in such a cryptographic technique MUST be generated using the TPM's random 

517 number generator. Any symmetric key MUST be used within the power-on session 

518 during which it was created, only. 

519 3. A key context blob SHALL enable verification of the integrity of the contents of the blob 

520 by a TPM protected capability. 

521 4. A key context blob SHALL enable verification of the session validity of the contents of the 

522 blob by a TPM protected capability. The method SHALL ensure that all key context blobs 

523 are rendered invalid if power to the TPM is interrupted. 
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524 

525 

526 
527 
528 

529 
530 



27.2.2 TPM_LoadKeyContext 



TPM_iLoadKey Gontext : loads a key context, blob into the TPM previously retrieved by a 
TPM_SaveKeyGontext call. After successful completion . the handle returned by this 
command caii be used to access the key. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG„RQU_COMMAND 


2 


4 






UINT32 


pa ram Size 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_LoadKeyContext 


4 


4 


2S 


4 


UINT32 


keyContextSize 


The size of the following key context blob. 


5 


<> 


3S 


o 


BYTEQ 


keyContextBlob 


The key context blob. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPMJTAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


re turn Code 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_LoadKeyContext 


4 


4 






TPM^KEY.HANDLE 


keyHandle 


The handle assigned to the key after it has been successfully loaded. 



531 



532 

533 
534 
535 

536 
537 
538 

539 
540 
541 



Description 

1 . This command allows loading a key context blob into the TPM previously retrieved by a 
TPM_SaveKeyContext call. After successful completion the handle returned by this 
command can be used to access the key. 

2. The contents of a key context blob SHALL be discarded unless the contents have passed 
an integrity test. This test SHALL (statistically) prove that the contents cf the blob are 
the same as when the blob was created. 

3. The contents of a key context blob SHALL be discarded unless the contents have passed 
a session validity test. This test SHALL (statistically) prove that the blob was created by 
this TPM during this power- on session. 
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542 

543 

544 
545 
546 

547 
548 



27.2.3 



TPM SaveAuthContext 



Start of informative ;. comment : 



TPM_SaveAuthGontext saves a loaded authorizati^ session outside the TPM After creation 
of the authorization context bibb, the TPM automatically releases t±ie internal memory used 
by that se ssion. The format of the authorization context blob is specific to a TPM. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC ; ! 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SaveAuthContext 


4 


4 






TPM_AUTH HANDLE 


authHandle 


Authorization session which will be kept outside the TPM 


Ou 


tgoi 


ng < 


Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SaveAuthContext 


4 


4 


3S 


4 


UINT32 


authContextSize 


The actual size of the outgoing authorization context blob. If the command fails 
the value will be 0. 


5 


o 


4S 


4 


BYTEO 


authContextBlob 


The authorization context blob. 



549 



550 

551 

552 
553 

554 
555 
556 
557 
558 
559 
560 

561 
562 

563 
564 
565 



Description 

This command allows saving a loaded authorization session outside the TPM. After creation 
of the authContextBlob, the TPM automatically releases the internal memory used by that 
session. The format of the authorization context blob is specific to a TPM. 

A TPM protected capability belonging to the TPM that created an authorization context blob 
MUST be the only entity that can interpret the contents of that blob. If a cryptographic 
technique is used for this purpose, the level of security provided by that technique SHALL 
be at least as secure as a 2048 bit RSA algorithm. Any secrets (such as keys) used in such a 
cryptographic technique MUST be generated using the TPM's random number generator. 
Any symmetric key MUST be used within the power-on session during which it was created, 
only. 

An authorization context blob SHALL enable verification of the integrity of the contents of 
the blob by a TPM protected capability. 

An authorization context blob SHALL enable verification of the session validity of the 
contents of the blob by a TPM protected capability. The method SHALL ensure that all 
authorization context blobs are rendered invalid if power to the TPM is interrupted. 
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566 
567 

568 
569 
570 

571 
572 



27.2.4 



TPM LoadAuthContext 



Start of informative comment: 



TPM LoadAuthContext' loads ...an authorization context blob into the TPM- previously 
retrieved by a TPM_SaveAuthContext call. After successful completion the handle returned 
by this command can be used to access the authorization session. 

End of informative comment. ^ : ; 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_LoadAuthContext 


4 


4 


2S 


4 


UINT32 


authContextSize 


The size of the following authorization context blob. 


5 


<> 


3S 


<> 


BYTEO 


authContextBlob 


The authorization context blob. 


Outgoing Operands and Sizes 


PARAM 


HMAC ; 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_LoadAuthContext 


4 


4 






TPM_KEY_HANDLE 


authHandle 


The handle assigned to he authorization session after it has been successfully 
loaded. 



573 



574 

575 
576 
577 

578 
579 
580 

581 
582 
583 



Description 

This command allows loading an authorization context blob into the TPM previously 
retrieved by a TPM_SaveAuthContext call. After successful completion the handle returned 
by this command can be used to access the authorization session. 

The contents of an authorization context blob SHALL be discarded unless the contents have 
passed an integrity test. This test SHALL (statistically) prove that the contents of the blob 
are the same as when the blob was created. 

The contents of an authorization context blob SHALL be discarded unless the contents have 
passed a session validity test. This test SHALL (statistically) prove that the blob was created 
by this TPM during this power-on session. 
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584 27.3 DIR commands 

585 Start of informative comment: 

586 jThe DIR commands are replaced by the NV storage commands. 

587 IThe DIR [0] in 1.1 is now TPM_PERMANENTJDATA -> authDIR[0] and is always available for 

588 'the TPM to use. It is accessed by DIR commands using dirlndex 0 and by NV commands 

589 jusing nvlndex TPM_NVJNDEX TDIR. 

590 [if the TPM vendor supports additional DIR registers, the TPM vendor may return errors or 

591 iprovide vendor specific mappings for those DIR registers to NV storage locations. 

592 [End of informative comment. 



593 1. A dirlndex value of 0 MUST corresponds to an NV storage nvlndex value 

594 TPM_NVJNDEX_DIR. 

595 2. The TPM vendor MAY return errors or MAY provide vendor specific mappings for DIR 

596 dirlndex values greater than 0 to NV storage locations. 
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597 

598 

599 
600 
601 

602 
603 

604 
605 

606 
607 



27.3.1 



TPM DirWriteAuth 



Start of informative comment: 

The TPM DirWriteAuth operation provides write access to the Data Integrity Registers. DIRs j 
aire non-volatile memory registers held in a TPM-shielded location. Owner authentication is ; 
required to authorize this action. M 

Access is also provided through the NV commands with nvlndex TPMJW_INDEX_JDIR. 
Owner authorization is not required when nvLocked is FALSE. 

Version 1.2 requires only one DIR. If the DIR named does not exist, the TPM_DirWriteAuth 
operation returns TPM^BADINDEX. 

End of informative comment* 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


is 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_DirWriteAuth. 


4 


4 


2S 


4 


TPM_DIRINDEX 


dirindex 


Index of the DIR 


5 


20 


3S 


20 


TPM.DIRVALUE 


newContents 


New value to be stored in named DIR 


6 


4 






TPM_AUTH HANDLE 


authHandle 


The authorization session handle used for command. 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


9 


20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest for inputs. HMAC key: ownerAuth. 


Ou 


tgo 


ing C 


>perands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP JVUTH1 .COMMAND 


j 2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM.ORD.DirWriteAuth 


4 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth. 



609 Actions 
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610 1. Validate that authHandle contains a TPM Owner 

611 TPM_DirWriteAuth command 

612 2. Validate that dirlndex points to a valid DIR on this TPM 

613 3. Write newContents into the DIR pointed to by dirlndex 
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614 

615 27.3.2 TPMJDirRead 

616 [StSrt^f informative comment: ; 

617 The TPM_DirRead operation provides read access to the D IRs . No authentication is, required 

618 to perform this, action because typically no ciyptographically useful AuthData is available \ 

619 iearlv in boot. TiSS imp to provide other means of authorizing tWs 

620 action. Version 1.2 requires only one DIR. If the DIR named < does not exist, the 

621 TPM DirRead operation returns TPM_JBADINDEX. 

622 End of informative comment. ^■^^ I '^ ^ ^#^ v-i ;M 

623 Incoming Operands and Sizes 



PARAM j 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TP M_TAG_RQU_COM M AN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_DirRead. 


4 


4 


2S 


4 


TPM_DIRINDEX 


dirtndex 


Index of the DIR to be read 


Oil 


tgo 


ing < 


Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJAG 


tag 


TPM_TAG_RSP_COM MAN D 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


retumCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinat TPM_ORD_DirRead. 


4 


20 


3S 


20 


TPM_DIRVALUE 


dirContents 


The current contents of the named DIR 



625 Actions 

626 1 . Validate that dirlndex points to a valid DIR on this TPM 

627 2. Return the contents of the DIR in dirContents 
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628 
629 

630 
631 

632 



27.4 Change Auth 



Start of informative comment 



' ' " , * - \ , 

The change auth ucommands ; can be> duplicated by creating a transport session with 
confidentiality and issuing the changeAuth command. 



End of informative comment. 
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633 
634 

635 
636 
637 

638 
639 
640 
641 
642 
643 

644 
645 
646 
647 
648 
649 
650 
651 
652 



27.4.1 TPM_ChangeAuthAsymStart 



Start of informative comment: 

The TPM_ChaneeAuthAsymStart starts the process of changing AuthData for an entity. It 
sets up an OIAP session that must be retained for use by its twin 
TPM_ChangeAuthAsymFinish command. 

|TPM_ChangeAuthAs3nriStart creates a temporary asymmetric public key "tempkey" to 
provide confidentiality , for new Auth^ sent to the TPM. TPM^ChangeAuthAsymStart 

certifies that tempkey was generated by a genuine TPM, by generating a certifylnfo 
structure that is signed by a TPM identity. The owner of that TPM identity must cooperate 
to produce this command, because TPM_ChangeAuthAsymStart requires authorization to 
use that identity. 

It is envisaged that tempkey and certifylnfo are given to the owner of the entity whose 
authorization is to be changed. That owner uses certifylnfo and a 
!TPM_IDENTITY_CREDENTIAL to verify that tempkey was generated by a genuine TPM. This 
lis done by verifying the TPMJDENTITY_CREDENTIAL using the public key of a GA, 
(verifying the signature on the certifylnfo structure with the public key of the identity in 
:TPM_IDENTITY_CREDENTIAL, and verifying tempkey by comparing its digest with the value 
[inside certifylnfo. The owner uses tempkey to encrypt the desired new AuthData and inserts 
[that encrypted data in a TPM_ChangeAuthAsymFinish command, in the knowledge that 
only a TPM with a specific identity can interpret the new AuthData- . 



653 j£nd of informative comment. 



654 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ChangeAutnAsymStart. 


4 


4 






TPM_KEY_HANDLE 


idHandle 


The keyHandle identifier of a loaded identity ID key 


5 


20 


2s 


20 


TPM.NONCE 


antiReplay 


The nonce to be inserted into the certifylnfo structure 


6 


o 


3S 


<> 


TPM_KEY_PARMS 


tempKey 


Structure contains all parameters of ephemeral key. 


7 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for idHandle authorization. ! 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


10 


20 






TPM_AUTHDATA 


idAuth 


Authorization. HMAC key: idKey.usageAuth. 
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655 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJAG 


tag 


TPM_TAG_RSP_AUTH 1 _C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output byes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


command ordinal. 1 KM_UKU_OnangeAuinAsym5>ian 


7 


95 


3S 


95 


TPM_CERTIFY_INFO 


certityinTo 


The certifylnfo structure that is to be signed. 


8 


4 


4S 


4 


1 1 1 K |TO O 

UINT32 


sigSize 


The used size of the output area for the signature 


9 


<> 


5S 


<> 


BYTEM 


sig 


The signature of the certifylnfo parameter. 


10 


4 


6s 


4 


TPM_KEY_HANDLE 


ephHandle 


The keyHandle identifier to be used by ChangeAuthAsymFinish for the 
ephemeral key 


11 


<> 


7S 


<> 


TPM_KEY 


tempKey 


Structure containing ail parameters and public part of ephemeral key. 
TPM_KEY.encSize is set to 0. 


12 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


no rice Odd 


Nonce generated by system associated with auth Handle 


13 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


14 


20- 






TPM_AUTHDATA 


resAuth 


Authorization. HMAC key: kJKey.usageAuth. 



656 


Actions 


657 


1. 


The TPM SHALL verify the AuthData to use the TPM identity key held in idHandle. The 


658 




TPM MUST verify that the key is a TPM identity key. 


659 


2. 


The TPM SHALL validate the algorithm parameters for the key to create from the 


660 




tempKey parameter. 


661 


3. 


Recommended key type is RSA 


662 


4. 


Minimum RSA key size MUST is 512 bits, recommended RSA key size is 1024 


663 


5. 


For other key types the minimum key size strength MUST be comparable to RSA 512 


664 


6. 


If the TPM is not designed to create a key of the requested type, return the error code 


665 




TPM_B AD_KEY_PRO PERTY 


666 


7. 


The TPM SHALL create a new key (kl) in accordance with the algorithm parameter. The 


667 




newly created key is pointed to by ephHandle. 


668 


8. 


The TPM SHALL fill in all fields in tempKey using kl for the information. The TPM_KEY - 


669 




> encSize MUST be 0. 


670 


9. 


The TPM SHALL fill in certifylnfo using kl for the information. The certifylnfo -> data 


671 




field is supplied by the antiReplay. 


672 


lO.The TPM then signs the certifylnfo parameter using the key pointed to by idHandle. The 


673 




resulting signed blob is returned in sig parameter 
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674 Field Descriptions for certifylnfo parameter 



Type 


Name 


Description 


TPM VERSION i 


Version 


TPM version structure; Part 2 TPMJ/ERSION 




Redirection 


This SHALL be set to FALSE 




Mig ratable 


This SHALL be set to FALSE 




Volatile 


This SHALL be set to TRUE 


TPM_AUTH_DATA_USAGE 


authDataUsage 


This SHALL be set to TPM_AUTH_NEVER 


TPM_KEY_USAGE 


KeyUsage 


This SHALL be set to TPM_KEY_AUTHCHANGE 


UINT32 


PCRInfoSize 


This SHALL be set to 0 


TPM.DIGEST 


pubDigest 


This SHALL be the hash of the public key being certified. 


TPM_NONCE 


Data 


This SHALL be set to antiReplay 


TPM_KEY_PARMS 


info 


This specifies the type of key and its parameters. 


BOOL 


parentPCRStatus 


This SHALL be set to FALSE. 



675 
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676 

677 

678 
679 

680 
681 
682 
683 
684 
685 

686 
687 

688 
689 
690 
691 

692 
693 



27.4.2 TPM_ChangeAuthAsymFinish 



Start of informative comment: j 

The TPM_ChangeAuth command allows the owner of an entity to change the AuthData for 
the entity. ..; t, #C ; ■ ' : ; ■ sS 

The command requires the cooperation of the owner of the parent of the entity, since 
AuthData must be provided to use that parent entity. The command requires knowledge of j 
the existing AuthData information and passes the new AuthData information. The! 
newAuthLink parameter proves knowledge of existing AuthData information arid new 
AuthData information. The new AuthData information "encNewAuth" is encrypted using the 
"tempKey" variable obtained via TPM_ChangeAuthAsymStart. 

A parent therefore retains control over a change in the AuthData; of a child, but is prevented 
from knowing the new AuthData for that child. 

The changeProof parameter provides a proof that the new AuthData value was properly 
inserted into the entity. The inclusion of a nonce from the TPM provides an entropy source 
in the case where the AuthData value may be in itself be a low entropy value (hash of a 
password etc). 

End of informative comment. _ , 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


pa ram Size 


Totaf number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ChangeAuthAsymFinish 


4 


4 






TPM_KEY_HANDLE 


parentHandle 


The keyHandle of the parent key for the input data 


5 


4 






TPM_KEY_HANDLE 


ephHandle 


The keyHandle identifier for the ephemeral key 


6 


2 


3S 


2 


TPM_ENTITY_TYPE 


entityType 


The type of entity to be modified 


7 


20 


4s 


20 


TPM_HMAC 


newAuthLink 


HMAC calculation that links the old and new AuthData values together 


8 


4 


5S 


4 


UINT32 


newAuthSize 


Size of encNewAuth | 


9 


o 


6S 


o 


BYTE[] 


encNewAuth 


New AuthData encrypted with ephemeral key. 


10 


4 


7S 


4 


UINT32 


encDataSize 


The size of the inData parameter 


11 


<> 


8S 


o 


BYT^] 


encData 


The encrypted entity that is to be modified. 


12 


4 






TPM_AUTH HANDLE 


authHandle 


Authorization for parent key. 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


13 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


14 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


15 


20 






TPM_AUTHDATA 


privAuth 


The authorization session digest for inputs and parentHandle. HMAC 
key: parentKey .usageAuth. 



694 
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695 Outgoing Operands and Sizes 



j PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG ! 


tag 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_ChangeAuthAsymFinish 


4 


4 


3S 


4 


UINT32 


outDataSize 


The used size of the output area for outData 


5 


<> 


4S 


o 


BYTEf] 


outData 


The modified, encrypted entity. 


6 


20 


5s 


20 


TPM.NONCE 


saltNonce 


A nonce value from the TPM RNG to add entropy to the changeProof 
value 


7 


o 


6S 


o 


TPM_DIGEST 


changeProof 


Proof that AuthData has changed. 


8 


20 


2H1 


20 


TPM.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H1 


I 1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


10 


20 






TPM.AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
parentKey.usageAuth. 



696 Description 

697 If the parentHandle points to the SRK then the HMAC key MUST be built using the TPM 

698 Owner authentication. 

699 Actions 

700 1 . The TPM SHALL validate that the authHandle parameter authorizes use of the key in 

701 parentHandle. 

702 2. The encData field MUST be the encData field from TPM_STORED_DATA or TPM_KEY. 

703 3. The TPM SHALL create el by decrypting the entity held in the encData parameter. 

704 4. The TPM SHALL create al by decrypting encNewAuth using the ephHandle -> 

705 TPM_KEY_AUTHCHANGE private key. al is a structure of type 

706 TPM_CHANGEAUTH__VALIDATE. 

707 5. The TPM SHALL create bl by performing the following HMAC calculation: bl = HMAC 

708 (al -> newAuthSecret). The secret for this calculation is encData -> currentAuth. This 

709 means that bl is a value built from the current AuthData value (encData -> 

710 currentAuth) and the new AuthData value (al -> newAuthSecret). 

711 6. The TPM SHALL compare bl with newAuthLink. The TPM SHALL indicate a failure if the 

712 values do not match. 

713 7. The TPM SHALL replace el -> authData with al -> newAuthSecret 

714 8. The TPM SHALL encrypt el using the appropriate functions for the entity type. The key 

715 to encrypt with is parentHandle. 

716 9. The TPM SHALL create saltNonce by taking the next 20 bytes from the TPM RNG. 
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717 10. The TPM SHALL create changeProof a HMAC of (saltNonce concatenated with al -> nl) 

718 using al -> newAuthSecret as the HMAC secret. 

719 11. The TPM MUST destroy the TPM_KEY_AUTHCHANGE key associated with the 

720 authorization session. 
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721 27.5 TPM Reset 




726 Deprecated Command in 1.2 

727 Incoming Parameters and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TPMJTAG 


tag 


TPM _T AG_R Q U_C 0 M M AN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_0RD_Reset. 


Outgoing Parameters and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPMJTAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


return Code 


The return code of the operation. 






2S 


4 


TPM.COMMANDCODE 


ordinal 


Command ordinal: TPM_ORD_Reset 



729 Description 

730 This is a deprecated command in VI. 2. This command in 1.1 only referenced authorization 

731 sessions and is not upgraded to affect any other TPM entity in 1.2 

732 Actions 

733 1 . The TPM invalidates all resources allocated to authorization sessions as per version 1 . 1 

734 extant in the TPM 

735 a. This includes structures created by TPM_SaveAuthContext and TPM_SaveKeyContext 

736 b. Structures created by TPM_Contextxxx (the new 1.2 commands) are not affected by 

737 this command 

738 2. The TPM does not reset any PCR or DIR values. 

739 3. The TPM does not reset any flags in the TPM_STCLEAR_FLAGS structure. 

740 4. The TPM does not reset or invalidate any keys 
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741 27.6 TPM OwnerReadPubek 




745 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RQU_AUTH 1 _COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag ! 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_OwnerReadPubek 


4 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


5 


20 


3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


7 


20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner authentication. 
HMAC key: ownerAuth. 


Ou 


tgoi 


ng C 


tperands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH 1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operatioa 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_OwnerReadPubek 


4 


o 


3S 


o 


TPM_PUBKEY 


pubEndorsementKey 


The public endorsement key 


5 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth. 



747 Description 

748 This command returns the PUBEK. 

749 Actions 

750 The TPM_OwnerReadPubek command SHALL 

751 1. Validate the TPM Owner AuthData to execute this command 

752 2. Export the PUBEK 
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753 27.7 TPIVLDisablePubekRead 

754 Start of informative comment: ' "j 

755 The TPM Owner may wish to prevent any entity from reading the PUBEK. This command j 

756 sets the non-volatile flag so that the TPM_ReadPubek command always returns! 

757 TPM_DISABLED_CMD . 

758 (This command has in essence been deprecated as TPM_TakeOwnership now sets the value | 

759 I to false. The command remains at this time for backward compatibility. 

760 jEnd of informative comment. „ L 

761 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1 _C0MMAND 


2 


4 






U1NT32 


paramSize 


Total number of input bytes including paramSize aid tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPMjORD_DisablePubekRead 


4 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for owner authentication 






2H1 


20 


TPM_N0NCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


5 


20 


3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle j 


7 


20 






TPM_AUTHDATA 


ownerAuth 


The authorization session digest for inputs and owner authorization. 
HMAC key: ownerAuth. 


Ou 


tgo 


ing C 


)perands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_AUTH 1 _COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_DisablePubekRead 


4 


20 


2H1 


20 


TPMJMONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_N0NCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
ownerAuth. 



763 Actions 

764 1. This capability sets the TPM_PERMANENT_FLAGS -> readPubek flag to FALSE. 
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27.8 TPM_LoadKey 



Start of informative comment: 

Version 1.2 deprecates TPM_LoadKey due to the HMAC of the new key handle on return. 
The wrapping makes use of the handle difficult in an environment where the TSS, or other 
management entity, is changing the TPM handle to a virtual handle. 

Software using TPM_LoadKey on a 1.2 TPM can have a collision with the returned handle as 
the 1.2 TPM uses random values in the lower three bytes of the handle. All new software 
must use LoadKey2 to allow management software the ability to manage the key handle. 

Before the TPM can use a key to either wrap, unwrap, bind, unbind, seal, unseal, sign or 
perform any other action, it needs to be p*esent in the TPM. The TPM JLoadKey function 
loads the key into the TPM for further use. " : : 

The TPM assigns the key handle. The TPM always locates a loaded key by use of the handle. 
The assumption is that the handle may change due to key management operations. It is the 
responsibility of upper level software to maintain the mapping between handle and any 
label used by external software . 

This command has the responsibility of enforcing restrictions on the use of keys. For 
example, when attempting to load a STORAGE key it will be checked for the restrictions on 
a storage key (2048 size etc.) . ■ . ■ . . . . . 

The load command must maintain a record of whether any previous key in the key 
hierarchy was bound to a PCR using parentPCRStatus . 

The flag parentPGRStatus enables the possibility of checking that a platform passed 
through some particular state or states before finishing in the current state. A grandparent 
key could be linked to state- 1, a parent key could linked to state -2, and a child key could be 
linked to state -3, for example. The use of the child key then indicates that the platform 
passed through states 1 and 2 and is currently in state 3, in this example. TPM_Startup 
with stType == TPMJ3T_CLEAR indicates that the platform has been reset, so the platform 
has not passed through the previous states. Hence keys with parentPCRStatus==TRUE 
must be unloaded if TPM^Startup is issued with stType ™ TPM_ST_CLEAR. 

If a TPM_KEY structure has been decrypted AND the integrity test using "pubDataDigest" 
has passed AND the key is non-migratory, the key must have been created by the TPM. So 
there is every reason to believe that the key poses no security threat to the TPM . While there 
is no known attack from a rogue migratory key, there is a desire to .verify that a loaded 
migratory key is a real key, arising from a general sense of unease about execution of 
arbitrary data as a key. Ideally a consistency check would consist of an encrypt/ decrypt 
cycle, but this may be expensive. For RSA keys, it is therefore suggested that the 
consistency test consists of dividing the supposed RSA product by the supposed RSA prime, 
and checking that there is no remainder. 

End of informative comment* 1 
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S03 Incoming Operands and Sizes 



PARAM I 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM JAG 


tag 


TPM_TAG_RQU_AUTH1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinat TPM_ORD_LoadKey. 


4 


4 






TPM_KEY_HANDLE 


parentHandle 


TPM handle of parent key. 


5 


o 


2S 


o 


TPM_KEY 


inKey 


Incoming key structure, both encrypted private and clear public portions. 
MAY be TPM_KEY12 


6 


4 






TPM_AUTHHANDLE 


authHandle 


The authorization session handle used for parentHandle authorization. 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3H1 


20 


TPMJslONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 


9 


20 






TPM _AUTHDATA 


parentAuth 


The authorization session digest for inputs and parentHandle. HMAC 
key: parentKey. usage Auth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH 1 _COM MAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_LoadKey 


4 


4 


3S 


4 


TPM_KEY_HANDLE 


inkeyHandle 


Internal TPM handle where decrypted key was loaded. 


5 


20 


2H1 


20 


TPM_N0NCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TPM jMJTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
parentKey.usageAuth. 



305 Actions 

306 The TPM SHALL perform the following steps: 

307 1. Validate the command and the parameters using parentAuth and parentHandle -> 

308 usage Auth 

309 2. If parentHandle -> keyUsage is NOT TPM_KEY_STORAGE return 

310 TPM_INVALID_KEYUSAGE 

311 3. If the TPM is not designed to operate on a key of the type specified by inKey, return the 

3 1 2 error code TPM_BADJCEY_PROPERTY 

313 4. The TPM MUST handle both TPMJCEY and TPM_KEY12 structures 

314 5. Decrypt the inKey -> privkey to obtain TPM_STORE_ASYMKEY structure using the key 

315 in parentHandle 
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S 16 6. Validate the integrity of inKey and decrypted TPM_STORE_ASYMKEY 

317 a. Reproduce inKey -> TPM_STORE_ASYMKEY -> pubDataDigest using the fields of 

318 inKey, and check that the reproduced value is the same as pubDataDigest 

319 7. Validate the consistency of the key and it's key usage. 

320 a. If inKey -> keyFlags -> migratable is TRUE, the TPM SHALL verify consistency of the 

321 public and private components of the asymmetric key pair. If inKey -> keyFlags -> 

322 migratable is FALSE, the TPM MAY verify consistency of the public and private 

323 components of the asymmetric key pair. The consistency of an RSA key pair MAY be 

324 verified by dividing the supposed (P*Q) product by a supposed prime and checking that 

325 there is no remainder.. 

326 b. If inKey -> keyUsage is TPM_KEY_IDENTITY, verify that inKey- >keyFlags->migratable 

327 is FALSE. If it is not, return TPM_INVALID_KEYUSAGE 

328 c. If inKey -> keyUsage is TPM_KEY_AUTHCHANGE, return TPM_INVALID_KEYUSAGE 

329 d. If inKey -> keyFlags -> migratable equals 0 then verify that TPM_STORE_ASYMKEY - 

330 > migrationAuth equals TPM_PERMANENT_DATA -> tpmProof 

331 e. Validate the mix of encryption and signature schemes 

332 f. If TPM_PERMANENT_FLAGS -> FIPS is TRUE then 

333 i. If keylnfo -> keySize is less than 1024 return TPM_NOTFIPS 

334 ii. If keylnfo -> authDataUsage specifies TPM_AUTH_NEVER return TPM_NOTFIPS 

335 iii. If keylnfo -> keyUsage specifies TPM_KEY_LEGACY return TPM_NOTFIPS 

336 g. If inKey -> keyUsage is TPM_KEY_STORAGE or TPM_KEY_MIGRATE 

337 i. algorithmID MUST be TPM_ALG_RSA 

338 ii. Key size MUST be 2048 

339 iii. sigScheme MUST be TPM_SS_NONE 

340 h. If inKey -> keyUsage is TPM_KEY_IDENTITY 

341 i. algorithmID MUST be TPM_ALG_RSA 

342 ii. Key size MUST be 2048 

343 iii. encScheme MUST be TPM_ES_NONE 

344 i. If the decrypted inKey -> pcrlnfo is NULL, 

345 i. The TPM MUST set the internal indicator to indicate that the key is not using any 

346 PCR registers. 

347 j. Else 

348 i. The TPM MUST store pcrlnfo in a manner that allows the TPM to calculate a 

349 composite hash whenever the key will be in use 

350 ii. The TPM MUST handle both version 1.1 TPM_PCR_INFO and 1.2 
851 TPM_PCR_INFO_LONG structures according to the type of TPM_KEY structure 

352 iii. The TPM MUST validate the TPM_PCR_INFO or TPM_PCR_INFO_LONG 

853 structures 
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854 8. Perform any processing necessary to make TPM_STORE_ASYMKEY key available for 

355 operations 

356 9. Load key and key information into internal memory of the TPM. If insufficient memory 

357 exists return error TPM_NOSPACE. 

358 10. Assign inKeyHandle according to internal TPM rules. 

859 1 l.Set InKeyHandle -> parentPCRStatus to parentHandle -> parentPCRStatus. 

860 12. If ParentHandle indicates it is using PCR registers then set inKeyHandle -> 
361 parentPCRStatus to TRUE. 
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S62 28. Deleted Commands 



S64 
365 

366 



363 Start of informative comment: 



These cbmmands are Inq longer.active: commands. Their removal is due to security concerns 
with their use. r \, , 



End of informative comment. 



367 1 . The TPM MUST return TPMJ3AD_ORDINAL for any deleted command 
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368 

369 

370 
371 

372 
373 
374 

375 
376 

377 
378 

379 

880 
381 



28.1 TPM_GetCapabilitySigned 



Start of informative comment: • 

Along with TPM_GetCapabilityO wrier this command allowed the possible signature of 
improper values. V 

TPM_GetCapabilitySigned is almost the same as TPM_GetCapability. The differences are 
that the input includes a challenge (a nonce) arid the response includes a digital signature 
to vouch for the source of the answer. 

If a caller itself requires proof, it is sufficient to use any signing key for which only the TPM 
and the caller have AuthData. 

If a caller requires proof for a third party, the signing key must be one whose signature is 
trusted by the third party. A TPM-identity key may be suitable . , 

End of informative comment. 



Deleted Ordinal 

TPM_GetCapabilitySigned 
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382 
383 
384 
385 



28.2 TPM GetOrdinalAuditStatus 



Start of informative comment: 

Get 



t the status of the audit flag for the given ordinal. 
End of informative comment. 



386 Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


| 1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_COMMAND 


I 2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TPM__C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_GetOrdinalAuditStatus 


4 


4 






TPM.COMMANDCODE 


ordinalToQuery 


The ordinal whose audit flag is to be queried 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TPM_RESULT 


return Code 


The return code of the operation. 


4 


1 






BOOL 


State 


Value of audit flag for ordinalToQuery 



387 



388 

389 
390 



Actions 

1. The TPM returns the Boolean value for the given ordinal. The value is TRUE if the 
command is being audited. 
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391 

392 

393 
394 

395 
396 

397 
398 

399 
900 



28.3 TPM_CertifySelfTest 



Start of informative comment: 

TPM_CertifySelfTest causes the TPM to perform a full self- test and return an authenticated 
value if the test passes. 

If a caller itself requires proof, it is sufficient to use any signing key for which only the TPM j 
and the caller have AuthData. - ; / 

If a caller requires proof for a third party, the signing key must be one whose signature is 
trusted by the third party. A TPM-identity key may be suitable. 

End of informative comment. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPM_TAG 


tag 


TPM_TAG_RQU_AUTH 1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CerttfySelfTest 


4 


4 






TPM_KEY_HANDLE 


keyHandle 


The keyHandle identifier of a loaded key that can perform digital ! 
signatures. i 


5 


20 


2S 


20 


TPM_N0NCE 


antiReplay 


Anti Replay nonce to prevent replay of messages 


I 6 


4 






TPM.AUTHHANDLE 


authHandle 


The authorization session handle used for keyHandle authorization 






2H1 


20 


TPM.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3H1 


20 


TPMJMONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4H1 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization session handle 1 


9 


20 






TPM_AUTHDATA 


privAuth 


The authorization session digest that authorizes the inputs and use of 
keyHandle. HMAC key: key.usageAuth 



901 Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TPMJTAG 


tag 


TPM_TAG_RSP_AUTH 1 ^COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1S 


4 


TPM.RESULT 


returnCode 


The return code of the operation. 






2S 


4 


TPM_COMMAND_CODE 


ordinal 


Command ordinal: TPM__ORD_CertifySelfTest 


4 


4 


3S 


4 


UINT32 


sigSize 


The length of the returned digital signature 


5 


o 


4S 


o 


BYTE[] 


sig 


The resulting digital signature. 


6 


20 


2H1 


20 


TPM_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H1 


20 


TPM_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4H1 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if hande is still active 


8 


20 






TPM_AUTHDATA 


resAuth 


The authorization session digest for the returned parameters. HMAC key: 
key.usageAuth 



Level 2 Revision 94 29 March 2006 Draft 313 

TCG Published 



Copyright © TCG TPM Main Part 3 Commands 

Specification Version 1 .2 

902 Description 

903 The key in keyHandle MUST have a KEYUSAGE value of type TPM_KEY_SIGNING or 

904 TPM__KEY_LEGACY or TPM_KEY_IDENTITY . 

905 Information returned by TPM_CertifySelfTest MUST NOT aid identification of an individual 

906 TPM. 

907 Actions 

908 1. The TPM SHALL perform TPM_SelfTestFull. If the test fails the TPM returns the 

909 appropriate error code. 

910 2. After successful completion of the self- test the TPM then validates the authorization to 

911 use the key pointed to by keyHandle 

912 a. If the key pointed to by keyHandle has a signature scheme that is not 

913 TPM_SS_RSASSAPKCSlvl5_SHAl, the TPM may either return TPM_BAD_SCHEME or 

914 may return TPMJ3UCCESS and a vendor specific signature. 

915 3. Create tl the NOT null terminated string of "Test Passed", i.e. 11 bytes. 

916 4. The TPM creates m2 the message to sign by concatenating tl | | AntiReplay | | ordinal. 

917 5. The TPM signs the SHA-1 of m2 using the key identified by keyHandle, and returns the 

918 signature as sig. 

919 
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